How can your Captive help you manage Cyber risks?
Agenda History 2 Continued evolution of cyber threats Regulatory focus 6 What are the regulators interested in? Focus now on response; not prevent 8 Not a matter of ‘if’ but ‘when’ Protect what is important 11 External perimeter; internal assets Cyber insurance 15 Panel discussion
History
Today’s cyber security threat Business depends on technology. Digital systems are now the lifeblood of most companies - they also have the potential to bring about its demise. Given the mission-critical nature of data in nearly every aspect of modern enterprise, organizations are facing not simply escalating risk, but the near- certainty that they will suffer an information security breach. Cyber security threats are evolving with unparalleled speed, complexity and impact, with reported breaches of information security rising annually by more than 50% - organizations are no longer asking “are we secure”, but “how can we ensure that the information most important to our business will be secure enough”?
Cyber security threats are constantly evolving
Many organizations are still fighting to close the gap Companies have made significant moves to respond to information security threats by addressing vulnerabilities with increased resources, training, governance and integration. However, the number and sophistication of threats has also increased, and is challenging Information Security functions to keep up. As a result, the gap between what Information Security functions are doing and should be doing has widened. The Gap
Regulatory focus
What are the Regulators Asking? SEC Cyber exams performed in both 2014 and 2015, with continued and increased focus planned for 2016 NAIC (National Association of Insurers Commissioners) April Cybersecurity Task Force of the NAIC adopted the Principles for Effective Cybersecurity Insurance Regulatory Guidance FINRA (Financial Industry Regulatory Authority) February 2015, FINRA Released “The Report on Cybersecurity Practices” which discussed the results of their 2014 targeted Cyber Sweep exams. PCAOB (Public Company Accounting Oversight Board) “Information gathering” during 2014 and 2015 examination cycle plus inquiring Big 4 and other accounting firms about organizations’ cyber strategies FFIEC (The Federal Financial Institutions Examination Council) Released a Cybersecurity Self Assessment for firms in June SIFMA (Securities Industry and Financial Markets Association) SIFMA created a Cybersecurity Resource Center to provide guidance on how organizations should ensure that Cyber Risks are considered in their environment. In addition to the regulatory focus, compliance with the different data protection and data privacy laws is an additional burden on organizations
Focus now on response, not just prevent
“We fight off 50,000 cyber attacks every day” CEO, global energy organization “The question is not if your company will be breached, or even when. It has already happened. The real questions are: are you aware of it, and how well are you protected for the future?”
The importance of staying ahead of Cybercrime As cybersecurity threats evolve with unparalleled speed, complexity and impact, organizations are no longer asking “are we secure?” but “how can we ensure that the information most important to our business will be secure enough?” In today’s connected, information-heavy world, a startling new way of viewing the global business landscape is emerging. Given the mission-critical nature of data in nearly every aspect of modern enterprise — and the astonishing growth in the cyber criminals who seek to undermine it — organizations across all sectors are facing not simply escalating risk, but the near-certainty that they will suffer an information security breach. In fact, the harsh reality of today’s security environment means that they are likely to have experienced it already and that, therefore, there are only two kinds of organization: those that have been breached and know it, and those that remain dangerously oblivious.
Protect what is important
External network; internal assets External – Protecting the perimeter for all organizations is key, although concept of ‘perimeter’ is diminishing due to: BYOD – each device added is an extension of the ‘perimeter’ Cloud computing and virtualization Increasing use of 3rd parties to perform key business processes, involving data transfer, vendor application systems etc. Internal – The insider threat is one of the key cybersecurity risks and organizations need to seriously consider their security stance from both an external and internal perspective. – Organizations must recognize and prioritize those critical assets and implement the necessary controls to help protect those assets.
Understand your business, assets and risks
The Cybersecurity framework
Cyber insurance
APPENDICES
Milestones in cyber risk insurance First internet liability policy was written DotCom bubble, first phase of growth focusing on technology risk First breach notification law passed in the US Choice Point, data breach highly publicized in media. It paid a fine of US$10 million to FTC Target Breach, 40 million card details and 70 million PII compromised NIST, Cyber security framework launched in the US Cyber Essentials, risk management framework launched by the UK government EU Data Protection Directive likely to be approved in 2015
Cyber Insurance What does it cover? Cyber insurance covers the losses relating to damage to, or loss of information from, IT systems and networks. Policies generally include significant assistance with and management of the incident itself, which can be essential when faced with reputational damage or regulatory enforcement. Generally, cyber risks fall into first party and third party risks. Insurance products exist to cover either or both of these types of risk. First-party insurance covers your business’s own assets. This may include: Loss or damage to digital assets such as data or software programs Business interruption from network downtime Cyber exhortation where third parties threaten to damage or release data if money is not paid to them Customer notification expenses when there is a legal or regulatory requirement to notify them of a security or privacy breach Reputational damage arising from a breach of data that results in loss of intellectual property or customers Theft of money or digital assets through theft of equipment or electronic theft Third-party insurance covers the assets of others, typically your customers. This may include: Security and privacy breaches, and the investigation, defense costs and civil damages associated with them Multi-media liability, to cover investigation, defense costs and civil damages arising from defamation, breach of privacy or negligence in publication in electronic or print media Loss of third party data, including payment of compensation to customers for denial of access, and failure of software or systems
Cyber cover includes first-party as well as third-party losses Third-Party InsuranceFirst-Party Insurance First-party cover applies to losses occurred directly to the insured such as damage to the data and systems of an organization as a result of cyber attack or technological glitch. Costs covered include: Forensic investigation of security breach to assess the impact Notification cost to affected parties such as customers and business stakeholders Regulatory obligations, fees and penalties, expense related to crisis management, credit monitoring, public relations Loss of profits due to business interruption due to network outage or cyber attack Restoration cost for damaged systems and data retrieval due to cyber attack or technical glitch Third-party insurance, or cyber-liability insurance, applies to the defence costs, damages and liabilities to third-parties such as customers, business partners and regulatory agencies. It also includes the policyholder’s actions or omissions while providing technology or consulting services. Costs covered include: Third party claims for damages incurred by customers or business partners and vendors Legal defence cost and regulatory fines and penalties for claims made Civil lawsuits, settlements or judgment related to security breach Media liability covering claims such as infringement of intellectual property, copyright/trademark, libel and slander Claims arising from errors made by technology or consulting companies while providing service
The average length which respondents’ worst breaches disrupted operations increased to 7-10 days for small businesses and 5-8 days for large companies in 2014 vs. just 1-2 days on average for both in 2012 Among small businesses, the average time spent on responding to incidents is man-days, up from 6-12 man-days in In large organizations, the effort required was also much higher with an average man-days, up from man-days in £600k -£1.15m is the average cost to a large organization of its worst security breach in 2014 (up from £450 - £850k a year ago) £65k -£115k is the average cost to a small business of its worst security breach in 2014 (up from £35 - £65k a year ago) In fact, 10% of organizations in UK that suffered a breach in the last year were so badly damaged by the attack that they had to change the nature of their business. The cost of data breach from cyber attack The average cost of the worst breach suffered has gone up significantly particularly for small businesses Time taken to address breach has also gone up substantially
Cyber Loss Spectrum 1 st Party3 rd Party Financial Tangible Cyber Loss Spectrum Any major cyber event will result in PR, response, and continuity costs Immediate and extended revenue loss Restoration expenses Defense costs Third parties will seek to recover Civil penalties and awards Consequential revenue loss Restoration expenses Physical damage is possible 1 st party property damage 1 st party bodily injury Physical damage may cascade to others 3 rd party property damage 3 rd party bodily injury
2016 Aon Captive Cyber Benchmarking Survey Source: 2016 Aon Captive Cyber Benchmarking Survey by Industry Cyber—The Fast Moving Target: Benchmarking views and attitudes by industry: