FORUM 2013 Cyber Risks - not just a domain for IT

Cyber Risks – Not Just a Domain for IT

The Evolving Threat to Companies in Europe and Risk Transfer

Tracie Grella

Global Head of Professional Liability

AIG Property Casualty

1

Client Perception

8/10/2013 2

How Concerned are you about this type

of risk for your company?

1 Cyber Risks 86%

2 Loss of Income 82%

3 Property Damage 80%

4 Workers Compensation 78%

5 Utility Interruption 76%

6 Securities and Investment Risk 76%

7 Auto/Fleet Risk 65%

Hackers are the primary

source of cyber threats

82% Clients who believe

human error is a

significant source

of cyber risk

74% IT is difficult to

keep up with cyber threats because they are evolving

so quickly

80%

All audiences agree:

DLA Piper CIO Daniel Pollick

“There has been a change in atmosphere in the past 18

months. Governments are taking cyber security more

seriously and are pushing it to the top of business agendas”

Cyber Crime Attacks

Causes of a Data Breach

• Threat Actions: Hacking 52%, Social Tactics 29%

• Threat Agents: Organized Crime 52%, State

Sponsored 19%, Insiders 14%

• 50% of insiders who committed sabotage were former

employees taking advantage of security that was not

disabled

(Verizon Data Breach Report 2013 and AIG)

Cyber Trends

• 70% of breaches were spotted by an external party,

9% were spotted by customers

• 76% of network intrusions exploited week or stolen

credentials

• Claim volume up by 67% in 2012 and 71% in 2013

(AIG)

• Only 20% of middle market and large organizations

purchase cyber (AIG)

(Verizon Data Breach Report 2013)

3

43% of organizations in the

EuroZone experienced more than 3 attacks

65% of companies across 62 countries are extremely concerned about

cyber attacks

4 of 5 Top banks in the UK claims that cyber attacks now represents a

major threat to their stability

Country Exposure

8/10/2013 4

Russia: number of cyber crimes

grew 33% in 2012

Belgium: Cost of Cyber Crime EUR5bn

Italy: 16,456 hacks against organizations in 1st half of 2013, up 57%

from same time last year

UK: Cost of Cyber Crime is

£27bn

• Cost to UK Business estimated

£21bn

• Average cost of resolving a data

breach is £2.04m

• Ireland: 37 breaches in 2012 with

68 over last 3 years

• Scotland: total cost of cyber

Crime is £5bn every min lose

£158

Germany: Cost to German

business EUR43bn

Business Enterprise Risk

8/10/2013 5

Typical Hourly Cost of Downtime by Industry (in US Dollars)

Brokerage Service 6.48 million

Energy 2.8million

Telecom 2.0 million

Manufacturing 1.6 million

Retail 1.1 million

Healthcare 636,000

Media 90,000

*Source: Network Computing, the Meta Group and Contingency Planning Research

The Accounting Employees can’t access systems

Consumers can’t access your product

You disrupt a 3rd party’s supply chain

Unexpected costs

Reputation damage

Stock drops

Investigations



Energy 2.8million

Telecom 2.0 million


Retail 1.1 million

Healthcare 636,000

Media 90,000


Business Enterprise Risk

8/10/2013 6



Energy 2.8million

Telecom 2.0 million


Retail 1.1 million

Healthcare 636,000

Media 90,000


The Accounting Employees can’t access systems

Consumers can’t access your product

You disrupt a 3rd party’s supply chain

Unexpected costs

Reputation damage

Stock drops

Investigations

Employees can’t access systems • Down for an extended period Consumers can’t access your product • Loss in Net sales • Infrastructure • Breach of service agreements

You disrupt a 3rd party’s supply chain • Inability for upstream production or delivery • Legal Penalties for breach of contractual obligations

Unexpected costs • Business continuation costs • Critical computer components damaged • Re-uploading and patching of system critical

software • Replacing lost or destroyed data sets

Reputation Damage • Cost to your Brand • Consumer churn • Loss of contracts or other business

opportunities • Business lost to competitors • Coupons and discounts

Stock drops • Average stock drop related to a cyber

event 5%

Investigations • Own internal • Regulatory • Shareholder Discovery

How Insurance Can Respond

8/10/2013 7

PRE BIND SOLUTIONS

INCIDENT / BREACH

FORENSICS

LEGAL / PR

NOTIFICATION

INVESTIGATION

FINES


8/10/2013 8

PRE BIND SOLUTIONS

INCIDENT / BREACH

FORENSICS

LEGAL / PR

NOTIFICATION

INVESTIGATION

FINES

Awareness & Education

Loss Mitigation Tools


8/10/2013 9

PRE BIND SOLUTIONS

INCIDENT / BREACH

FORENSICS

LEGAL / PR

NOTIFICATION

INVESTIGATION

FINES

Loss of Clients

Stock Drop

Cyber Extortion

Business Interruption

Crisis Management


8/10/2013 10

PRE BIND SOLUTIONS

INCIDENT / BREACH

FORENSICS

LEGAL / PR

NOTIFICATION

INVESTIGATION

FINES

Costs to Identify Exposed Records

Contain the Breach

Restore Data


8/10/2013 11

PRE BIND SOLUTIONS

INCIDENT / BREACH

FORENSICS

LEGAL

NOTIFICATION

INVESTIGATION

FINES

Breach Coach and Legal Defense

Legal Costs to Aid Victims of ID Theft


8/10/2013 12

PRE BIND SOLUTIONS

INCIDENT / BREACH

FORENSICS

LEGAL / PR

NOTIFICATION

INVESTIGATION

FINES

Credit Monitoring

Germany

Norway

Austria

Spain

• Mandatory Notification Telecomm

• Countries

Regulators

Individuals

Voluntary Notification


8/10/2013 13

PRE BIND SOLUTIONS

INCIDENT / BREACH

FORENSICS

LEGAL / PR

NOTIFICATION

INVESTIGATION

FINES

Client

Regulatory

Shareholders

3rd Party Liability


8/10/2013 14

PRE BIND SOLUTIONS

INCIDENT / BREACH

FORENSICS

LEGAL / PR

NOTIFICATION

INVESTIGATION

FINES Administrative

Industry Standards

PCI

8/10/2013 15

Cyber risks – not just a domain for IT

Kevin P. Kalinich, J.D.

Global Practice Leader – Cyber Insurance

Aon plc

[email protected]

October 1, 2013

8/10/2013 16

Cyber Insurance Outline

• 2013 Evolving Trends

o Financial Statement

Impact

o Board of Directors Issue

o All Industries Impacted

• Cyber Risk Identification

o Classify, Qualify &

Quantify

• Risk Mitigation

• Existing Insurance Policy Gap

Analysis

17

2013 Evolving Trends

EU Organizations increasing reliance on

evolving technologies

o Mobile (including payments)

o Cloud Computing

o Social Media

o Data Analytics (“Big Data”)

o Third Party Vendor Issues

• Payment Card Industry Data Security Standards:

Fines & Penalties

• Data transfers to US in wake of NSA

• Cyber Risks Financial Statement Impact

o Actuarial Modeling

o Board of Directors Liability?

• Managing Cyber Security as Business Risk:

Cyber Insurance in the Digital Age (August 2013:

http://assets.fiercemarkets.com/public/newsletter

/fiercehealthit/experian-ponemonreport.pdf)

Hacker steals data of 2 million Vodafone Germany

clients

British police arrest eight over cyber theft at Barclays

http://www.emwllp.com/news/confidential-

information-theft-cases-reach-record-high/

Aon Risk Solutions EMEA

Proprietary & Confidential |

http://www.emwllp.com/news/confidential-information-theft-cases-reach-record-high/

E-Business Evolution

18

Global Business

Social Networks

SaaS On-line

subscription

Mobile Apps Cloud

Computing

Outsourcing



Proposed New EU Data Privacy Protection Law

72 Hour Notice Period

“Right to be forgotten”

Penalties up to 2% of global annual turnover

Take effect two years after adoption

Cyber Risk Identification

19

• Identify & Classify Cyber Exposures (online and offline – hard copy)

• Qualify

• Quantify

• Financial Statement Impact

• A Checklist for Corporate Directors and the C-Suite: Data privacy & Security Oversight

(http://www.networkedlawyers.com/category/confidential-information-trade-secrets/)

http://www.aon.com/unitedkingdom/products-and-services/risk-services/datarisks.jsp



20

Exposure Analysis



Proprietary Cyber Risk Discovery Process

21

Risk Transfer Needs

Diagnostic

Program Design & Marketing

Customized Ongoing Services

New Products

and/or

Services

Quality

Controls

Employee

Training

Contract

Management

Dispute

Resolution

Data Risks

Privacy

Policy

Security

Controls

Data

Breach

Response

Plan

Content

development/

clearance

Intellectual

Property

Review

Procurement

Process

Vendor

Diligence

Limitation of

Liability

Cloud



Cyber Risk Actuarial Analysis growing

22

RISK vs. UNCERTAINTY

RISK = Something you can put a

price on

(e.g. exactly 1 chance in 11 to hit

an inside straight in Texas

Hold’Em)

UNCERTAINTY = risk that is

hard to measure (e.g. Cyber

exposure frequency & severity)

“We ignore the risks that are

hardest to measure, even when

they pose the greatest threats

to our well-being”

-- Nate Silver, The Signal

And The Noise: Why So Many

Predictions Fail – But Some Don’t

Review Comparable Cyber

Losses

Peer Benchmarking

Monte Carlo Simulations

Financial Impact Options

Risk Acceptance

Risk Avoidance

Risk Retention

Risk Transfer

Contractual Allocation

Cyber Insurance

Risk mitigation is key in all cases

Board of Directors Liability?????

Integrate with Enterprise Risk

Management



Risk Mitigation

23

• Comprehensive Cyber Risk Mitigation Program: Need Management Support

• Although IT Security & Use policies are important ----------------it is MUCH MORE THAN AN IT

SECURITY ISSUE

• Engage inter-departmental coordination and cooperation

• Risk Management

• Finance/Treasury

• Legal

• Human Resources

• CIO, CPO, CISO, etc.

• IT Security

• Education on Legal Exposures: train & monitor employees & all others

• Ensure Compliance with Organization’s Privacy Policy regarding 3rd party Personally Identifiable

Information

• Data Breach Management Policy – continuously update

• Third Party Exposures

• Vendor/Supplier Management

• Contractual Considerations

• Vendor/Supplier Audits



Sample 10 Questions To Ask

24

Question Takeaways/Possible Conclusion

Do you have an Information Security Policy ? Most will say yes.

If no, it would suggest a lack of awareness of the issues and therefore

would be unlikely to be ready for the product.

Is it based on any Information Security

Standard?

Ideal answer would be ISO27002 as this is well understood and recognised

by the market.

What is the Governance Structure for

management IS Risk & Controls?

Presence of a structure is an indicator of a mature organisation who

understands and is looking to manage the risks.

How do you maintain assurance of your internal

IT controls ?

If there is an indication that a robust regime in place – a free scan should be

positioned as additional assurance. No evidence is an opportunity for a free

scan, but may also indicate a high risk.

Do you use third party suppliers? Need for the product is increased if yes; need to find out the scope of

services – if critical, need for cyber risk transfer is increased.

Do you obtain assurance of their Data/Security

Controls?

Ideal answer is yes via a recognised method i.e. SSAE 16/SAS 70 or other

auditing standard. These will be readily accepted as evidence.

What is your approach to the management of

mobile devices?

Every client will have this issue; Laptop and device encryption are key

controls. Lack of an informed response is not a good indicator.

What are your key controls to determine if are

being subject to a cyber attack?

This provides an insight to the monitoring capability of the organisation.

Most have poor levels of control unless they have outsourced a service.

Do you have a Cyber response team or plan? Key area for extra service sales – most do not and failure to response

quickly enough drives up and final incident cost.

Have you ever needed to complete a forensic

examination of your IT equipment?

As above – often key evidence is destroyed through lack of awareness



Can’t ‘traditional’ insurance help?

25

Potential Elements of Coverage in Commercial Property, General Liability, Crime, and Kidnap &

Ransom Policies

Malware and

Denial-of-

Service attacks

do not constitute

‘physical perils’

and do not

damage

‘tangible

property’

CGL Privacy

coverage limited

to ‘publication

or utterance’

resulting in one

of traditional

privacy torts.

Unauthorized

access

exclusions.

Requires

negligence in

provision of

defined

business

activities.

Crime policies

require intent…

theft of money,

securities, or

tangible

property.

Intentional acts

and insured vs.

insured issues.

No coverage for

expensive

crisis

expenses

required by law

or to protect

reputation.

Generally

E&O

Crime

Property

General

Liability



Existing Coverage & Gaps

26



Existing Insurance Policy Claims Trends

Zurich v. Sony Declaratory Judgment Action: Over 55 class action lawsuits alleging billions of dollars in damages

(Sept. 2011 new service agreement enforceable: mandatory arbitration and no class action?). Direct costs to companies

impacted by cyber breaches, such as forensics, notification, credit monitoring and public relations costs, “are basic costs

we would cover under our Zurich Security and Privacy Protection policy,” says Zurich. Then if a claim is filed, “we have a

liability coverage part that would cover the affected entity for defense costs and indemnity they have to pay out as a

result.”

State National Insurance Co. v. Global Payments April 2013 $84 Million Declaratory Judgment Action regarding

excess Professional Liability policy: Card association claims do not arise out of negligence from “professional services”

or “technology-based services”

Hartford v. Crate & Barrel and Children’s retail Stores (Declaratory Judgment Action with respect to GL Policy):

– Over 125 Class Actions in California, lead by: Pineda v. Williams Sonoma, 51, Cal.4th 524, 246 P.3rd 612 (Cal.

2011) (Zip codes are personal identification information protected by California’s Song-Beverly Act)

– Massachusetts Class Action: Tyler v. Michaels Stores, Inc., No. 1:111-cv-10920-WGY (D. Mass. Filed May 23,

2011);.

Colorado Casualty Insurance Company vs. Perpetual Storage and the University of Utah (GL Policy) -- Negligence

suit against insurance broker for not placing proper coverage

Tornado Technologies Inc. v. Quality Control Inspection, Inc. (OhioCt. App. August 2, 2012) – no negligence of

insurer for not warning insured to purchase special cyber policy

Retail Ventures v. National Union Fire Ins. (August 23, 2012) Crime Policy Endorsement Applies

Liberty v. Schnucks (August , 2013) Declaratory Judgment filed regarding General Liability policy

27



Scope of Available Coverage

28

Breac

h

Mitigation Regulator

y

Liability

• Online and offline

breaches

• Accidental or “rogue”

employee actions

• Breaches caused by

vendors or

outsourcers

• Notification

Costs

• IT Forensics

• PR +

Advertising

• Credit

Monitoring

• “Turnkey”

breach

response from

carrier partners

• Regulatory

Investigations

• Consumer

Redress Funds

• Civil Penalties

• PCI – DSS

Fines

• UK & EU

country specific

laws

• Individual

Actions

• Consumer

Class Actions

• Suits from

business

partners

• Suits from

financial

institutions • Coverage should be customized based on the nature of the business

o For example, FI consumer facing businesses can face a different liability chain (see recent

ATM’s)

• Additional coverage available:

o 1st Party Business Interruption: Lost revenue due to failed network security

o Information Asset: Loss or costs associated with restoring destroyed data

o Cyber Extortion: Pays an extortion demand to a party that holds the Insured’s system or data

hostage

o Media: Content based injuries (online and may include offline) Aon Risk Solutions EMEA


Insurance Underwriter Issues To Address

29

I. Contractual Allocation of liability and hold harmless and indemnity between Insured and each of each counterparties

II. Are all subsidiaries 100% wholly owned or are there joint ventures?

III. Does Insured comply with regulatory guidelines regarding disclosure of Cyber exposures, mitigation and risk transfer insurance

(ADR’s)?

IV. Review sample contracts from its suppliers as to allocation of liability, hold harmless and indemnity and insurance (name

Insured as “Additional Insured?”) We have set up “affinity” type programs for large players in the Financial Institutions space

where a supplier of the FI can obtain a $1 MM E & O policy for the benefit of the Insured FI

V. Does Insured have any products or services that are protected from liability due to regulation? If so, what are the services and

products and what are the revenues compared to total revenues?

V. Do we have a breakdown of revenue by each product/service as the exposures from each are different in both frequency and

severity?

VII. What percentage of the products and services have been provided for over five years (at least 5 year’s worth of Loss History)?

VIII. What percentage of products and services have been provided for less than one year?

IX. What type of internal or third party IT security assessments have been conducted? ISO 27001? SSAE 16?

X. What is the QA process for new products and services?

XI. What is the escalation process to approve contractual changes with customers?

XII. What is the escalation process to address and remedy complaints from customers?

XIII. What percentage of customers are business (B2B) vs. Individuals (B2C)?



Optimal Cyber Program

30

Optimal Program

Insurable Risks

Contractual Requirement

s

Budget

Risk

Tolerance

Maximum Probable

Loss Peer

Purchasing

Data

Scope of Coverage/

Control

Market Limitations



PID#

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

LIMITING THE IMPACT OF CYBER INCIDENTS

Presented by Ben Van Erck

EMEA RISK team

32 Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

32

PROPRIETARY STATEMENT

© 2013 Verizon. All Rights Reserved. The Verizon and Verizon Business names and logos and all other names, logos, and slogans identifying Verizon’s products and services

are trademarks and service marks or registered trademarks and service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other countries.

All other trademarks and service marks are the property of their respective owners.

This document and any attached materials are the sole property

of Verizon and are not to be used by you other than to evaluate

Verizon’s service.

This document and any attached materials are not to be disseminated,

distributed, or otherwise conveyed throughout your organization to

employees without a need for this information or to any third parties

without the express written permission of Verizon.


33


34

VARIED MOTIVATIONS VARIED TACTICS

• Aim is to maximize disruption

and embarrass victims from

both public and private sector.

• Use very basic methods and are

opportunistic.

• Rely on sheer numbers.

• Motivated by financial gain,

so will take any data that might

have financial value.

• More calculated and complex in

how they chose their targets.

• Criminals are now trading

information for cash.

• Often state-sponsored.

• Driven to get exactly what

they want, from intellectual

property to insider information.

• Often state-sponsored, use most

sophisticated tools to commit

most targeted attacks.

• Tend to be relentless.

UNDERSTANDING THE WHO


35 Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

• STATE-AFFILIATED ACTORS PERPETRATED

19% OF ATTACKS LAST YEAR.

• TARGETS ARE NOT JUST GOVERNMENT AGENCIES,

AND NOT JUST MILITARY CONTRACTORS.

• BE AWARE OF THE “KNOCK-ON EFFECT” IN

YOUR SUPPLY CHAIN.

STATE-AFFILIATED

ESPIONAGE.

ESPIONAGE


DIFFICULTY OF ATTACK

36


37

THIS YEAR’S BIGGEST THREATS?

SAME AS LAST YEAR’S.

WHAT TO WORRY ABOUT

• Very few surprises, mostly variations on theme.

• 75% of breaches were driven by financial motives.

• 95% of espionage relied on

plain old phishing.

• Well-established threats

shouldn’t be ignored.


38

• The weak links haven’t changed much:

–Desktops 25%

–File servers 22%

–Laptops 22%

• Unapproved hardware accounts

for 43% of misuse cases.

WHAT DO ATTACKERS TARGET? STILL THE TRADITIONAL ASSETS.

WHAT TO WORRY ABOUT


39

• In 84% of cases, initial compromise took hours or less.

ATTACK VELOCITY

QUICK TO COMPROMISE


40

SLOW TO DISCOVERY

• 66% of breaches went undiscovered for months…

… Or even years.

QUICK TO COMPROMISE

DETECTION VELOCITY

RECOMMENDATIONS


42

INCIDENT RESPONSE PLAN

• Develop an IR plan (people, process, technology)

• Mock incident testing

– Table-top

– Fake incident

– Red vs Blue team

• Most important step in your IR process: learning from mistakes (yours and other people’s)

• Stakeholders

• Decision makers

IT’S NOT ABOUT THE PLAN, IT’S ABOUT THE PLANNING!

Additional Information

• Download DBIR – www.verizonenterprise.com/dbir

• Learn about VERIS - www.veriscommunity.net and

http://github.com/vz-risk/veris

• Explore the VERIS Community Database:

http://public.tableausoftware.com/views/vcdb/Overview and learn

more about this data http://veriscommunity.net/doku.php?id=public

• Ask a question – [email protected]

• Read our blog - http://www.verizonenterprise.com/security/blog/

• Follow on Twitter - @vzdbir and hashtag #dbir

43

44 44

DBIR: www.verizon.com/enterprise/databreach

VERIS: www.veriscommunity.net/

http://www.verizon.com/enterprise/databreach

Please fill in the session feedback through the FERMA Mobile app 45

Date post:	27-Jan-2015
Category:	Education
Upload:	ferma
View:	103 times
Download:	0 times