a reinsurer’s perspective on cyber threats, cyber reinsurer’s perspective on cyber threats,...

A reinsurer’s perspective on cyber threats, cyber resilience, insurance and data taxonomy

Mark Coss

Quelle: Verw endung unt er der Lizenz von Shut t ers t ock.com

Agenda

1. Cyber Security Taxonomy: From threats to an insured loss

2. Cyber Attack Life Cycle – how does a targeted attack look like?

3. Information Security & Systems Control Risk Management framework

4. Cyber Insurance- available risk transfer and residual business risk

5. Data Taxonomy-what data needs to be fed into a industry database and recorded

13-Oct-16A reinsurer’s perspective on cyber-Mark Coss

From threats to an insured loss

1

Cyber Security Taxonomy From Threats to an insured Loss

Workstations

OS, Applications, Browsers

Servers

Network devices

Telephone

Cloud provider

Persons

Processes

Information

…

Assets

Assets

Source: http://cambridgeriskframework.com/getdocument/3913-Oct-16

A reinsurer’s perspective on cyber-Mark Coss


Buffer overflows

SQL injection

Cross-Site-Scripting (XSS)

Privilege escalation

Unencrypted data

Untrained personnel

Misconfiguration

Inadequate policies

…

Cyber Vulnerabilities

Vulnerabilities

Source: https://www.riskbasedsecurity.com/2015/12/our-new-year-vulnerability-trends-prediction//13-Oct-16A reinsurer’s perspective on cyber-Mark Coss

Assets


Cyber Security Taxonomy From threats to Insured Loss

Threats

Vulnera-bilities

Assets

Denial of Service (DoS)

Phishing

Social Engineering

Ransomware

Virus/Trojan/Worms

(Malware)

Espionage

Botnets

Zero-Day Exploits

Identity theft

…

Cyber Threats2015 World Map of Malware & Threats by Sophos

Source: © Sophos GmbH

Banking Trojan Remote Access Trojan (RAT)

Password Stealers

Download-Malware

Ransomware Spambots Others

Bootkits

Viruses

Worms

Scandinavia

RussiaCanada

USA

Columbia

Brazil

South Africa

Great Britain

Dach

Italy

Turkey

Saudi Arabia

China Japan

Australia

Hong Kong

Philippines

India

Malaysia

Singapore

Vulnerabilities

Assets

13-Oct-16


Threats

Vulnerabilities

Assets

Actors

Threat-

Matrix

Cybercrime Cyberkid Cyberwar and

Cyberspionage

Cyber-Terrorist Hacktivist

Motivation Money Fun, curiosity Strategic Ideologie/Religion Politics, Ethic

Choice of

targets

Individual, by

chance or

directly aimed

By chance,

political reasons

Individual,

collateral

ideological, anti-

western, collateral,

media-effected

Ideological and

political targets

Organisation Strongly

pronounced

Partially Perfect Regional Structured

Competence High Low-high Very high Low-high (external

help)

Middle-high

Source: https://www.europol.europa.eu/content/eu-serious-and-organised-crime-threat-assessment-socta



Threats

Vulnerabilities

Assets

Actors


Cyber Attack Life Cycle

2

Myth- Each cyber attack is different hence

prevention is impossible

• Old attacks (successful) used repeatedly

• Re-use of code amongst criminals

• Cyber attack process is exactly the same

• Recent examples


Cyber Attack ProcessSource: Cyber kill chain-Intelligence driven cyber defense-Lockheed Martin


Cyber Attack How does a targeted attack look like?

13-Oct-16

Espionage

Recon

Lure



13-Oct-16

Espionage

Recon

Lure

Intrusion

Redirect

Exploit



13-Oct-16

Espionage

Recon

Lure

Intrusion

Redirect

Exploit

Evolution

Dropper

Call Home



13-Oct-16

Espionage

Recon

Lure

Intrusion

Redirect

Exploit

Evolution

Dropper

Call Home

Attack

Data Theft

Denial-of-Service

Manipulate data



Cyber Attacks on the world of finance

Bangladesh, March 2016: Central Bank Theftof USD$101 Million

3 Information Security Risk Management

13-A reinsurer’s perspective on cyber-

Accept- Cyber Attacks are a real threat

• Same risk irrespective of business size

• Increasing Board recognition of cybersecurity & privacy due to high profile

incidents e.g Target

• Increasing focus from regulators

• Cybersecurity incidents –YOY 34% growth & attacks average 200 days before

discovery

WHY?• Cultural : Acceptance no system is secure and consumer privacy concerns

• Technological: Cloud security and IoT

Source: 2015 TrustWave global security report: State of cybersecurity ISACA report 2015

Ponemon/IBM data breach study 2015


• Australia ranked 3rd for malicious URL’s/phishing attacks & 4th

globally for botnet infections (Source: Ponemon 2015)

• Average loss incurred by security breaches <US$3mio but figure is

for direct costs such as forensics, PR &legal. Third party liability

and damages would increase losses four fold.

• Time for businesses to discover a sophisticated cyber attack is

between 200 and 280 days

• 38% of mobile users have experienced cybercrime (Source:

Symantec 2014)

• In 2013, cyber attacks affected 5 million Australians at an

estimated cost of $1.06 billion (Source: Symantec 2013)

• 71% of incidents go undetected (Source: Trustwave 2014)

• 60% of SME’s close their doors <6 months of a cyber attack

(Source Experian, 2015)

Cyber Risk Landscape


Cyber Security FrameworkNIST- a comprehensive cyber security framework used by ASIC Report 429

13-Oct-16

Iden

tify •Asset management

•Risk Assessment

•Governance & Compliance

•Responsibilities

•Risk Management

•Procurement

•Working with external partners

•Recruitment

Pro

tect •User access control

•Awareness & Training

•Data Security

•Processes and Procedures

•Encryption

•Patch & change management

Det

ect •Security Incident Event

Monitoring (SIEM)

•Anti-Virus

Res

po

nd

& R

eco

ver •Incident Management

•Emergency Management

•Backup

•Disaster Recovery

•Business Continuity Management


Cyber Security FrameworkNIST-a comprehensive cyber security framework used by ASIC Report 429

13-Oct-16

Iden

tify •Asset Management

•Risk Assessment


•Responsibilities

•Risk Management

•Procurement


•Recruitment

Pro



•Data Security

•Information protection processes and procedures

•Protection technologies

•Encryption


Det

ect •Security Incident Event

Monitoring (SIEM)

•Anti-Virus

Res

po

nd

& R

eco



•Backup




Cyber Security FrameworkNIST-a comprehensive cyber security framework used by ASIC Report 429

13-Oct-16

Iden

tify •Asset Management

•Risk Assessment


•Responsibilities

•Risk Management

•Procurement


•Recruitment

Pro



•Data Security



•Encryption


Det

ect •Detection processes

•Security Incident Event Monitoring (SIEM) & anomalies

•Security continuous monitoring

Res

po

nd

& R

eco



•Backup




Cyber Security FrameworkNIST- a comprehensive cyber security framework used by ASIC Report 429

13-Oct-16

Iden

tify •Asset management

•Risk Assessment


•Responsibilities

•Risk Management

•Procurement


•Recruitment

Pro



•Data Security



•Encryption


Det

ect •Detection processes

•Security Incident Event Monitoring (SIEM) & anomalies

•Security continuous monitoring

Res

po

nd

& R

eco



•Backup

•Disaster Recovery (DRP)

•Business Continuity Management (BCP)


4 Cyber Insurance


Cyber Insurance role is secondary to cyber

resilience


• First Party-reputational expenses, customer support for customer notification, advertising &credit card monitoring, data recovery, businessinterruption, investigation and legal costs, cyber extortion, clean-up of leaked data

• Third Party- technology professional services, multimedia liability, security and privacy liability, personal data liability, corporate data liability, civil & some criminal penalties, outsourcing risk

• Benefits- access to expert panel to manage cyber event and mitigate losses

• Loss of or damage to reputation/trust/brand

• Betterment costs to address vulnerabilities

• Physical Hardware loss/damage

• Loss of customers and jobs

• Loss in competitive advantage and

markets

• CBI from service interruption of critical infrastructure

• Under & uninsured losses (+policy

exclusions)

• Specific Intellectual Property e.g Patents

Risks Transferred & Service Benefits

Business and Residual Risk

Cyber ClaimsData Breaches and insured costs


Insurance Risk Transfer Solutions for SME’sStandalone cyber product to be main source of liability cover as exclusions in traditional policies become

more commonplace


Cyber insurance policy

3rd party Cyber Liability

Privacy Disclosure/Liability

Access Failure

Security Failure Intellectual Property

InternetCommunication and Media

Liability

Legal Counsel

Forensics

Notification Costs

Credit Monitoring

Cri

sis

Co

nsu

ltin

g

1st party Cyber Expenses

Business Interruption

IT Vandalism

Network Extortion

Electronic Theft

Internal Network Interruption

Administrative Fines

I.

Loss or Theft of

Data Coverage

(1st party)

II.

Confidentiality

Breach Liability

Coverage

(3rd party)

III.

Privacy Breach

Protection

Coverage

(1st party)

IV.

Privacy Breach

Liability Coverage

(3rd party)

V.

Payment Card

Industry Data Security

Standard (PCI-DSS)

Coverage

(1st party)

VI.

Business

Interruption

Coverage

(1st party)

VII.

Cyber

Extortion Coverage

(1st party)

VIII.

Network

Security Liability

Coverage

(3rd party)

IX.

Reputational Risks

Coverage (1st

party)

Munich Re modular wordingOverview of coverage elements


PRICING CYBER RISK PROBLEMATIC AT

PRESENT• Key problem is scarcity of data. While there are markets for assessments regarding loss

frequencies due to cyber related threats this is not the case for loss severities.

• The same holds for cyber related threats which are well covered by various parties (commercial as well as non-commercial). However, to turn knowledge about threats into the ability to quantify loss potential, historic threats and losses have to be matched systematically. As of today, this kind of data appears to be not available.

• external pricing models unavailable, no “buy” option -(RMS, AIR, Symantec, Cambridge…)

• MOTIVATION FOR DATA BASE PROJECT (NAIC for industry codes, Veris for cyber losses in US)

• Presently no mandatory requirements by ISA/APRA and unable to identify cyber experience in NCPD

• Presently mostly pragmatic methods used for pricing single cyber risk (i.e ROL, benchmarking)

• Mainly non-experienced based pricing methods used globally so far

• GIVEN VERY DYNAMIC TRENDS IN CYBER LOSSES AND RISK OF CHANGE PRICING PROFITABILITY IS NOT YET ENSURED


There are a number of threat modelling frameworks, designed to help

organisations understand cybersecurity risks in a formal, standardized way

Frameworks:

• STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of

Service, Elevation of Privilege)

• DREAD (Damage, Reproducibility, Exploitability, Affected users, Discoverability)

• OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation)

• CVSS (Common Vulnerability Scoring System)

• PASTA (Process for Attack Simulation & Threat Analysis)

Threat modelling frameworks


Veris Cyber data framework


APRA NCPDExisting industry data inputs not relevant to cyber incidents


QUESTIONS & ANSWERS


Just follow-up with us @ your convenience

Mark Coss

Cyber Threats and Loss data for Accounting

Services Sector


Cyber threats and loss data for Accounting

Services Sector(Source : Hiscox & Advisen)


Cyber Threats and Loss data for Accounting

Services Sector(Source: Hiscox & Advisen)


Cyber Threat and Loss data for Accounting

Services Sector(Source: Advisen)


a reinsurer’s perspective on cyber threats, cyber reinsurer’s perspective on cyber threats,...

Documents