2015 soa annual meeting & exhibit session 57 lecture, cyber
Post on 31-Dec-2016
215 Views
Preview:
TRANSCRIPT
Session 57 L, Cyber Risks: Risk Management and Insurance
Moderator: Mike Porier
Presenters:
Elisabeth Case, ARM Ray Farmer Mike Porier
Cyber Risks: Risk Management & Insurance
October 12, 2015
Cyber Risks & Considerations
Agenda & Introductions
Cyber InsuranceMarket
NAIC Resources
Michael PorierProtiviti, Managing DirectorCyber Security & Privacy
Elisabeth D. CaseMarsh, SVP & National Commercial E&O Practice Lead
Raymond G. FarmerDirector of South Carolina Department of Insurance
Cyber Risks &ConsiderationsMichael Porier, Protiviti
In the news…
What is Cybersecurity?
Sources: Secondary Research
Data is increasingly getting digitized and internet is being used to save, access and retrieve vital information.Protecting this information is not just a priority, but has become a necessity for most companies and governmentagencies around the world.
Types of Cyber Threats
Cyber Terror
Hactivisim
Cracking
Information Warfare
Cyber Crime
Cyber Espionage
Cyber Threats
• Spam
• Identity theft
• Malicious code such as Viruses, Worm, Trojan Horse
• Phishing attacks
• Spyware
• Denial-of-service attacks
• Packet spoofing
Methods
• Personal Security
• Legal Compliance
• Incident Reporting
• Continuity Planning
• System Protection
• Physical & Environmental Protection
• Communications Protection
• Access Controls
Security Measures for Protection
Cyber Incidents in Recent YearsThe Global State of Information Security Survey 2015 of more than 9,700 security, IT, and businessexecutives found that the total number of security incidents detected by respondents climbed to 42.8 millionin 2014, an increase of 48% over 2013. That’s the equivalent of 117,339 incoming attacks per day, every day.
The compound annual growth rate (CAGR) of
detected security incidents has increased
66% year-over-year since 2009.
3.4
9.4
22.724.9
28.9
42.8
2009 2010 2011 2012 2013 2014
Total number of detected incidents (in millions)
Source: PWC
Biggest Data Loss Incidents (2013-14)
2014
2013
Financials Web Tech Government Healthcare Retail
TwitterLinkedIn,
eHarmony, Last.fm
Evernote
Apple Facebook
Florida Departmentof Juvenile
JusticeAdvocate Medical Group
CrescentHealth, Inc.Walgreens Ubuntu
Nasdaq
South Africa Police
CommunityHealth
Services
Sources: Information is Beautiful
JP Morgan Chase
European Central
Bank
Korea Credit Bureau
GmailAOL
Adobe
Kroll Background
America
Lexis Nexis
SnapChat
Dun & Bradsheet
Kissinger Cables
WashingtonState Court System
SouthAfricaPolice
Home Depot
TargetEbay
Florida Courts
The Cyber/Data Breach Landscape
Financial losses
2000 Number of Breaches
700m
$400m
Records compromised
Companies learn they have been breached from a third party (customer, partner, vendor etc.)
>200 days
>60%
The average time from breach until discovery
Controls determined to be most effective fall into the “quick win” category.
60%
40%
Cases where hackers were able to compromise an organization within minutes.
Most recorded attacks stemming from external threat actors though internal threat actors are increasing (including abuse of access and loss of hardware).
Breaches increasingly from “unknown” “unknowns” – almost every breached organization had up-to-date anti-virus.
2014
Source: Verizon, 2015 Data Breach Investigations Report
Source of Cyber AttacksInsiders OutsidersVS
31%
27%
16%
13%
12%
10%
35%
30%
18%
15%
13%
11%
2013 2014
Current employees
Former employees
Current service providers/consultants/contractors
Former service providers/consultants/contractors
Suppliers/business partners
Customers
8%
12%
10%
10%
14%
6%
4%
32%
24%
10%
15%
16%
16%
24%
9%
7%
6%
24%
18%
2013 2014
Terrorists
Organized crime
Activists/activist organizations/hacktivists
Information brokers
Competitors
Foreign entities & organizations
Foreign nation-states
Domestic intelligence service
Hackers
Do not know
Source: PWC
Top 5 Cyber Security Risks in 2015
Ransomware1 A type of malware which restricts access to the computer system that it infects will become increasingly sophisticated in its methods and targets.
Internet of Things2 The connection of physical devices such as home appliances and cars to the internet will still be the "Internet of Vulnerabilities”.
Cyber-espionage3 Cyber espionage is becoming the weapon of choice for many national governments.
Cyber theft increases4 New ways of paying for goods, such as contactless and mobile payments brings a new
opportunity for hackers.
Insecure Passwords5 Easy-to-crack passwords will continue to be a big risk in 2015.
Source: CNBC
Cyber Risk Assessment and ManagementProper cyber security risk management is more than a technology solution. A company, led by its CEO, must integratecyber risk management into day-to-day operations. Additionally, a company must be prepared to respond to theinevitable cyber incident, restore normal operations and ensure that company assets and the company’s reputation areprotected.
Cyber Risk Management comprises of:
Cyber Risk Mitigation – Implement a Cybersecurity Plan
Understand what information you need to protect: identify the corporate “crown jewels”.
Identify Threats to Crown Jewels
Forecast the consequences of a successful attack
Cyber Assessments
Security & Privacy Liability
Crisis Management
Regulatory Proceedings
Data Recovery
Cyber Extortion
Cyber Insurance – Risk Transfer
Source: Staysafeonline
Cybersecurity Framework (CSF)
Asset Management
Business Environment
Governance
Risk Assessment
Risk Management Strategy
Access Control
Awareness and Training
Data Security
Information Protection
Processes and Procedures
Maintenance
Protective Technology
Anomalies and Events
Security Continuous Monitoring
Detection Processes
Response Planning
Communications
Analysis
Mitigation
Improvements
Recovery Planning
Improvements
Communications
The Framework Core is a set of cybersecurity activities and informative references that are commonacross critical infrastructure sectors. The cybersecurity activities are grouped by five functions thatprovide a high-level view of an organization’s management of cyber risks.
Identify Protect Detect Respond Recover
Compliance does not equal security!
Defense in depth is the coordinated use of multiple security counter measures to protect the integrity of the information assets in an enterprise.
If a hacker gains access to a system, defense in depth minimizes the adverse impact and gives administrators and engineers time to deploy new or updated counter measures to prevent recurrence.
Physical Security
User Awareness
Firewalls and IDS/IPS
Logical Access
Anti-Virus
Patch Management
Device Configuration
Source: http://searchsecurity.techtarget.com/definition/defense-in-depth
Defense in Depth
What Are Organizations Doing?Evaluating security risks from key vendors and partners
Assessing internal and external vulnerabilities and performing periodic penetration tests
Evaluating the “Breach Kill Chain”
Identifying critical data (the “crown jewels”) and how it is being controlled
Developing (and testing) breach response plans
Employing tools to help answer the questions “are we already breached?” and “how would we know if a breach occurs?”
Wrapping all of this into a holistic security program – continuous and on-going
Training and awareness to raise education of employees
Using the CSF to assess
their program
Conclusions
• “Simple or intermediate” controls will prevent many attacks.• Expensive tools and large initiatives are often not required.• How effectively does your team “block and tackle?”
Focus on the Fundamentals
• Internal/External Vulnerability Assessments and Penetration Tests• Wireless Security / Firewall Reviews / Web Application Scans• Social Engineering
Perform Periodic Assessments
• Many breaches involve several vulnerabilities.• Maintain a “defense-in-depth” posture.
Layer Defenses
• Train your employees what to look for (phishing emails, telephonic approaches, etc.)• Classroom style rather than CBT
Awareness and Training
Cyber Insurance
MarketElisabeth D. Case,
Marsh
17© Marsh 17
CYBER INSURANCE TAKE-UP RATES
18© Marsh 18
LARGE BUYERS ARE BUYING MORE LIMIT
19© Marsh 19
RATES ARE MOVING BACK UP
20© Marsh 20
US Cyber Insurance Marketplace
• Annual gross written premium may be as much as $2.0 billion (up from $1.3 billion in last year’s Report).
• The industry is divided by size (gross written premium) as follows:
A limited number of very large writers, with premiums in excess of $100 million (AIG, ACE, Beazley, Zurich)
Several carriers in the $50-100 million range (Endurance, XL, etc.)
Several more in the $25-50 million range (Liberty, etc.)
Numerous carriers and Managing General Underwriters writing $10 - 25 million
Several writing in the $5-10 million and $1-5 million ranges
2014 Betterley Report:
A VOLATILE MARKET• The US Cyber market is like
two massive, but opposed forces coming together with unpredictable, unstable results
• “Wall of Demand”• US Cyber Market is one of the
fastest-growing markets in insurance; client penetration is still less than 25%
• “Wall of Claims” • Recent acceleration in number
and magnitude of Cyber events
21
22© Marsh 22
CAP(ACITY) CRUNCH?• Capacity, Coverage, and Cost are the
Three Sides of the Risk Transfer Triangle• Coverage continues to expand
• Increased uptake of 1st-party Cyber Coverages• Expanding coverage for PCI breaches• Continued carrier innovation
• Capacity remains generally available• Our recent survey of capacity for
large purchasers indicates $350m+ • More capacity is available if Cyber is blended with E&O (where
appropriate)• Significant restrictions on capacity for managed care, coupled with
restrictions on coverage under Managed Care E&O• Costs are rising
• We can get the limits, but it may be hard to find the rate you had last year at every layer of your program
23© Marsh 23
CYBER RISK MANAGEMENT• Cyber Risk Management means thinking about more than
just Prevention• There is no IT Budget large enough to eliminate the risk of Cyber
Events• Cyber Risk must be accepted and managed by the organization• But who should do this job?
• Cyber Risk Management is a job for RM, not for IT• IT is a critical stakeholder, but they can’t manage Cyber risk on
their own• Risk Management is a holistic process for the entire organization
• Stages of Cyber Risk Management• Assessment – assessments, analytics, valuation, modeling• Manage - Prevent, Prepare/Mitigate, Transfer• Respond – Remediate and Recover
24© Marsh 24
WHAT CAN YOU DO?• Cyber risk management involves the engagement of resources
throughout the organization. Not just IT.• Cyber risk management means focusing on assessment,
preparation, and response. • Organizations should integrate outside stakeholders, like law
enforcement, regulators, and cyber security resources into their cyber risk management framework.
• Business-partner management is also a critical concern, since many cyberattacks target resources may be outside a company’s direct control.
• Risk transfer should be part of the risk management approach. Regulators are starting to expect insurance will be present.
NAIC ResourcesRaymond G. Farmer,
Department of Insurance
Discussion Topics
• Task Force Formed• Guiding Principles• Annual Statement Supplement• IT Examination Working Group• Consumer Bill of Rights• Model Laws
26
27© Marsh 27
Guiding Principles
Released for public comment
Initial draft based on SIFMA guiding principles
Adopted set of 12 guiding principles
http://www.naic.org/documents/committees_ex_cybersecurity_tf_final_principles_for_cybersecurity_guidance.pdf
28© Marsh 28
Guiding Principles 1, 2 & 3Principle 1: State insurance regulators have a responsibility to ensure that personally identifiable consumer information held by insurers, producers and other regulated entities is protected from cybersecurity risks. Additionally, state insurance regulators should mandate that these entities have systems in place to alert consumers in a timely manner in the event of a cybersecurity breach. State insurance regulators should collaborate with insurers, insurance producers and the federal government to achieve a consistent, coordinated approach.Principle 2: Confidential and/or personally identifiable consumer information data that is collected, stored and transferred inside or outside of an insurer’s, insurance producer’s or other regulated entity’s network should be appropriately safeguarded.Principle 3: State insurance regulators have a responsibility to protect information that is collected, stored and transferred inside or outside of an insurance department or at the NAIC. This information includes insurers’ or insurance producers’ confidential information, as well as personally identifiable consumer information. In the event of a breach, those affected should be alerted in a timely manner.
29© Marsh 29
Guiding Principle 4 & 5
Principle 4: Cybersecurity regulatory guidance for insurers and insurance producers must be flexible, scalable, practical and consistent with nationally recognized efforts such as those embodied in the National Institute of Standards and Technology (NIST) framework. Principle 5: Regulatory guidance must be risk-based and must consider the resources of the insurer or insurance producer, with the caveat that a minimum set of cybersecurity standards must be in place for all insurers and insurance producers that are physically connected to the Internet and/or other public data networks, regardless of size and scope of operations.
30© Marsh 30
Guiding Principle 6 & 7
Principle 6: State insurance regulators should provide appropriate regulatory oversight, which includes, but is not limited to, conducting risk-based financial examinations and/or market conduct examinations regarding cybersecurity.Principle 7: Planning for incident response by insurers, insurance producers, other regulated entities and state insurance regulators is an essential component to an effective cybersecurity program.
31© Marsh 31
Guiding Principles 8 & 9Principle 8: Insurers, insurance producers, other regulated entities and state insurance regulators should take appropriate steps to ensure that third parties and service providers have controls in place to protect personally identifiable information.Principle 9: Cybersecurity risks should be incorporated and addressed as part of an insurer’s or an insurance producer’s enterprise risk management (ERM) process. Cybersecurity transcends the information technology department and must include all facets of an organization.
32© Marsh 32
Guiding Principles 10, 11 & 12Principle 10: Information technology internal audit findings that present a material risk to an insurer should be reviewed with the insurer’s board of directors or appropriate committee thereof.Principle 11: It is essential for insurers and insurance producers to use an information-sharing and analysis organization (ISAO) to share information and stay informed regarding emerging threats or vulnerabilities, as well as physical threat intelligence analysis and sharing.Principle 12: Periodic and timely training, paired with an assessment, for employees of insurers and insurance producers, as well as other regulated entities and other third parties, regarding cybersecurity issues is essential.
33© Marsh 33
Annual Statement Supplement
Identity Theft Insurance
Cybersecurity Insurance
34
35
36© Marsh 36
IT Examination (E) Working Group
Review existing guidance
Reviewing data security controls
Financial Examination Handbook
37© Marsh 37
Consumer Bill of Rights
Statutes Regarding Security Breach
Notification
Expectations of Insurers in the Event of a
Cybersecurity Incident
Current Project for Task Force
38© Marsh 38
Model Laws and Regulations
• Insurance Information and Privacy Protection Model Act• Created in response to the Gramm-Leach-Bliley Act
#670
• Privacy of Consumer Financial Health and Information Regulation
• Created in response to the Gramm-Leach-Bliley Act
#672
39© Marsh 39
Model Laws and Regulations
• Standards for Safeguarding Consumer Information Model Regulation
#673
• Insurance Fraud Prevention Model Act
#680
40© Marsh 40
Task Force Will Stay Abreast of What is Happening
FBIIC
FS-ISAC
Questions & Answers
42
top related