cyber risk mitigation - eide bailly

38
www. eidebailly.com/cybersecurity Cyber Risk Mitigation Eide Bailly Howalt + McDowell Insurance

Upload: others

Post on 06-Apr-2022

6 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Cyber Risk Mitigation - Eide Bailly

www.eidebai l ly.com/cybersecuri ty

Cyber Risk MitigationEide Bailly

Howalt + McDowell Insurance

Page 2: Cyber Risk Mitigation - Eide Bailly

www.eidebai l ly.com/cybersecuri ty

Eric PulseRisk Advisory | Director

• 20 years in the public accounting and consulting industry providing information technology risk advisory and cyber security consulting services to a variety of industries

• Certifications• Certified Information Systems Auditor • Certified Information Security Manager • Certified in Risk and Information

Systems Control • GIAC Security Essentials Certification • Certified Financial Services Auditor

Introduction

Meet your presenters

2

Page 3: Cyber Risk Mitigation - Eide Bailly

www.eidebai l ly.com/cybersecuri ty

Karen Andersen

Risk Advisory | Manager • 20+ years of technology consulting

experience across a wide variety of industries performing cyber security assessments and risk assessments

• Karen also provides expertise in the areas of PII, eDiscovery, Data Breaches, HIPAA Assessments, Investigations, and Information Risk Assessments

• Certifications• Certified Information Security Manager

Introduction

3

Page 4: Cyber Risk Mitigation - Eide Bailly

www.eidebai l ly.com/cybersecuri ty

Jared Ducommun

Sales Executive, Property & Casualty• Howalt + McDowell Insurance a Marsh

McLennan Agency• 16 years of experience with Internet and

network infrastructure.

Introduction

4

Page 5: Cyber Risk Mitigation - Eide Bailly

www.eidebai l ly.com/cybersecuri ty

• Cyber Threat Environment• Challenges of Cyber Security• Value of Data on the Black Market• Cyber Insurance Trends• Intersection of Cyber Insurance and Risk Mitigation• Cyber Risk Mitigation• NIST Framework• It Pays to be Prepared

Agenda

5

Page 6: Cyber Risk Mitigation - Eide Bailly

Maybe the Biggest Challenge

Sean Parker co-founder of Napster and founding president of Facebook

This is core to the hacker mentality: We hack systems that can be hacked and leave the rest

Page 7: Cyber Risk Mitigation - Eide Bailly

www.eidebai l ly.com/cybersecuri ty

Cyber Challenges

Threats are fluid

“The threat is advancing quicker than we can keep up with it. The threat changes faster than our idea of the risk. It's no longer possible to write a large white paper about the risk and relative controls to a particular system. You would be rewriting the white paper constantly ..."

Adam VincentChief Technology Officer

Layer 7

7

Page 8: Cyber Risk Mitigation - Eide Bailly

www.eidebai l ly.com/cybersecuri ty

• Malicious software or "malware"• Distributed denial of service attacks• Data leakage• Third-party/cloud vendor risks• Mobile/web application vulnerabilities• Weaknesses in project management or change management

Types of threats

Common cyber threats to most organizations:

8

Page 9: Cyber Risk Mitigation - Eide Bailly

www.eidebai l ly.com/cybersecuri ty

Causes of Cyber Intrusions

Percentage of Claims by Cause of Loss• 27% Hacker• 16% Malware/Virus• 12% Lost/Stolen Device• 10% Staff Mistake• 9% Paper Records• 8% Rogue Employee• 18% All other causes

NetDiligence 2017 Cyber Claims Study

9

Page 10: Cyber Risk Mitigation - Eide Bailly

www.eidebai l ly.com/cybersecuri ty

• Increased due diligence• Contractual provisions requiring cyber security standards and notice

of breaches• Cyber security insurance requirement for vendors• Information sharing

Targets

Smaller companies/vendors = bigger targets

Solution

10

Page 11: Cyber Risk Mitigation - Eide Bailly

www.eidebai l ly.com/cybersecuri ty

What’s Your Data Worth?

Advertised Prices on the Black Market• U.S.-based credit card with verification | $1-$6• An identity (including U.S. bank account, credit

card, date of birth, and gov.-issued ID) | $14- $18• List of 29,000 emails | $5• Online bank account with $9,900 balance | $300• Phishing website hosting | $3-$5• Verified PayPal account with balance | $50-$500• Skype account | $12• One month World of Warcraft account | $10

Value to a Hacker 40M records sold for $2 per |$80M in profit

11

Page 12: Cyber Risk Mitigation - Eide Bailly

www.eidebai l ly.com/cybersecuri ty

Average cost of a corporate data breach – $3.62 million • U.S. FY 2017 average was $216 per record.• U.S. FY 2016 average was $225 per record

Medical information worth more than credit card data –• 10 times more.• It can’t be regenerated.• Thieves use stolen medical data to order health care equipment or drugs

then resell, submit made up claims with insurance companies, etc.

Detailed Costs

12

Page 13: Cyber Risk Mitigation - Eide Bailly

www.eidebai l ly.com/cybersecuri ty

• Forensic experts• Outsourcing hotline support• Providing free credit monitoring subscriptions• Discounts for future products and services• In-house investigations and communications• Extrapolated value of customer loss resulting from turnover or

diminished customer acquisition rates• Don’t forget counsel and any related litigation

Additional Costs

Direct and indirect costs incurred by the organization

13

Page 14: Cyber Risk Mitigation - Eide Bailly

www.eidebai l ly.com/cybersecuri ty

Walter Anders, head of Hunton & Williams’ insurance litigation and recovery practice, says that many of those who have cyber insurance discover too late that their policies are not useful.

Source: Monika Gonzalez Mesa, Daily Business Review

Cyber Insurance

Timing is everything

14

Page 15: Cyber Risk Mitigation - Eide Bailly

www.eidebai l ly.com/cybersecuri ty

• Roughly 80 different markets offering cyber products• Pricing for cyber insurance has trended down over the

years• Coverages have broadened• Integrated resource enhancement with coverages• Increased underwriting scrutiny• Cyber is not standardized• Legal precedence is still being set

Cyber Insurance

Recent Trends

15

Page 16: Cyber Risk Mitigation - Eide Bailly

www.eidebai l ly.com/cybersecuri ty

• Personally identifiable information• Social Security numbers• Banking information• Driver’s license• Motor vehicle records• Health histories/information

• Credit card information (PCI)• Have network access to others (or if someone had access to yours)

Cyber Insurance

Who needs coverage?Everyone needs to have cyber insurance but here are some of the main exposures with the largest risks:Companies that have:

16

Page 17: Cyber Risk Mitigation - Eide Bailly

www.eidebai l ly.com/cybersecuri ty

• Assets• Business interruption• Privacy liability• Network liability

Common Gaps in Traditional Policies

General Overview:

17

Page 18: Cyber Risk Mitigation - Eide Bailly

www.eidebai l ly.com/cybersecuri ty

Liability to a third party as a result of:• Destruction of a third party’s electronic data• Your network's participation in denial-of-service

attacks• Transmission of viruses to third-party computer

systems

Key Insurance Coverages

Network Security Liability:

18

Page 19: Cyber Risk Mitigation - Eide Bailly

www.eidebai l ly.com/cybersecuri ty

Liability to a third party as a result of:• Unauthorized disclosure of personally identifiable

information• Unauthorized disclosure of third-party confidential

information in your care, custody or control• Defense against regulatory actions

Key Insurance Coverages

Data Privacy Liability:

19

Page 20: Cyber Risk Mitigation - Eide Bailly

www.eidebai l ly.com/cybersecuri ty

Expenses to respond to a personal data breach event including:

• Computer forensic costs• Notification cost including call center costs• Credit monitoring and identity theft protection costs• Public relations and crisis management consultancy

costs

Key Insurance Coverages

Crisis Management:

20

Page 21: Cyber Risk Mitigation - Eide Bailly

www.eidebai l ly.com/cybersecuri ty

Expenses to respond to a personal data breach event including:

• Computer forensic costs• Notification costs including call center costs• Credit monitoring and identity theft protection costs• Public relations and crisis management consultancy

costs

Key Insurance Coverages

Cyber Extortion:

21

Page 22: Cyber Risk Mitigation - Eide Bailly

www.eidebai l ly.com/cybersecuri ty

The interruption or suspension of computer systems resulting in:

• Your potential loss of income• Extra expense incurred to mitigate an income loss

resulting from:• A network security breach• A network failure

Key Insurance Coverages

Network Business Interruption:

22

Page 23: Cyber Risk Mitigation - Eide Bailly

www.eidebai l ly.com/cybersecuri ty

The corruption or destruction of data or computer programs incurs:

• Replacement, restoration, or rectification costs• Costs to determine that data or programs cannot be

replaced

Key Insurance Coverages

Data Asset Protection:

23

Page 24: Cyber Risk Mitigation - Eide Bailly

www.eidebai l ly.com/cybersecuri ty

Liability arising from online and offline content stemming from:

• Infringement of intellectual property rights• Invasion of privacy• Defamation• Negligent publication or misrepresentation

Key Insurance Coverages

Multimedia Liability:

24

Page 25: Cyber Risk Mitigation - Eide Bailly

www.eidebai l ly.com/cybersecuri ty

• A scheme that intentional mislead an employee intosending money or diverting a payment based onfraudulent information.• Written, verbal communication

Key Insurance Coverages

Social Engineering (Deceptive Transfer)

25

Page 26: Cyber Risk Mitigation - Eide Bailly

www.eidebai l ly.com/cybersecuri ty

Cyber Loss Impact

Cyber Loss Impact

26

Page 27: Cyber Risk Mitigation - Eide Bailly

www.eidebai l ly.com/cybersecuri ty

0 10 20 30 40 50 60 70

Services

Retail/Wholesale

Power and Utilities

Manufacturing

Hospitality and Gaming

Health Care

Institutions

Education

Communication, Media and Tech

All Industries

Marsh Clients

Trends and Risk Mitigation

2015 Cyber Insurance Growth Rates by Industry

27

Page 28: Cyber Risk Mitigation - Eide Bailly

www.eidebai l ly.com/cybersecuri ty

• Dedicated information security resources• Evaluate potential risk• Identify what you are trying to protect – what types of data• Defined information security policies and procedures• Employee education• Incident response plan• Security measures• Vendor management

Where to start

Underwriters are interested in the following:

28

Page 29: Cyber Risk Mitigation - Eide Bailly

www.eidebai l ly.com/cybersecuri ty

Functions Being OutsourcedPayrollAccounting/TaxEmployee benefits administrationAuditsCredit card processingInformation technology

Cyber Security Risk

How Secure are Your Third-Party Partners?

29

Page 30: Cyber Risk Mitigation - Eide Bailly

www.eidebai l ly.com/cybersecuri ty

First Steps – Get Your Bearings

1. Access Control2. Audit and Accountability3. Configuration Management4. Contingency Planning5. Incident Response

6. IT Security Planning7. Mobile Device Management8. Physical Security9. Risk Management10. System Operations

Scope of Cyber Security Assessment

30

Page 31: Cyber Risk Mitigation - Eide Bailly

www.eidebai l ly.com/cybersecuri ty

• No one is immune• Operation resiliency/redundancy• Employees – continual training and communication• Practice – incident response plan and testing• Response metrics – detection to action to resolution• Support and forensic firms

Basics to consider cyber readiness

Evaluation of your internal readiness and understandings

31

Page 32: Cyber Risk Mitigation - Eide Bailly

www.eidebai l ly.com/cybersecuri ty

Identify

Protect

DetectRespond

Recover

Security StandardsNational Institute of Standards & Technology (NIST) Cyber Security Framework

32

Page 33: Cyber Risk Mitigation - Eide Bailly

www.eidebai l ly.com/cybersecuri ty

Cyber Risk Management• Set the tone from the top.• Identify, measure, mitigate and monitor

risks.• Develop risk management processes

commensurate with your institution's level of risk and complexity.

• Align IT strategy with business strategy and account for how risks will be managed both now and in the future.

• Create a governance process to ensure ongoing awareness and accountability.

• Ensure reports to you and your board are meaningful and timely with metrics on the institution's vulnerability to cyber risks and potential business impacts.

33

Page 34: Cyber Risk Mitigation - Eide Bailly

www.eidebai l ly.com/cybersecuri ty

Less than half of surveyed companies require security awareness training for all employees

Just under one-third of respondents said that their organization required higher level executives (CEOs and C-Level) to participate

Source = 2016 Experian Data Breach Resolution and Ponemon Institute Report

Mitigating Cyber Risk

Security Awareness Training

34

Page 35: Cyber Risk Mitigation - Eide Bailly

www.eidebai l ly.com/cybersecuri ty

• National Cyber Security Alliance found that 1 in 5 smallbusinesses fall victim to cyber crime.

• 60% of those businesses go out of business within sixmonths. (Victor O Schinnerer & Co.)

• A firewall or router from your IT vendor protects generic antivirusand malware attacks.

• General liability policies lack flexibility to address new andemerging cyber breaches.

• The cyber world is continuing to evolve. Many carriers arechanging coverages yearly.

Common Cyber Insurance Objections

An estimated two-thirds of businesses are without cyber insurance:

35

Page 36: Cyber Risk Mitigation - Eide Bailly

www.eidebai l ly.com/cybersecuri ty

• Understand your network and possible infrastructure challenges.• Training your business team on cyber threats through email,

website, and social media.• Work with your insurance professionals for policy guidance.• Consult with companies that understand business challenges prior

to cyber issues and after a threat has occurred.

Final Thoughts

Summary

36

Page 37: Cyber Risk Mitigation - Eide Bailly

Karen Andersen612.253.6638

[email protected]

www.eidebai l ly.com/cybersecuri ty

Eric Pulse605.997.4847

[email protected]

Page 38: Cyber Risk Mitigation - Eide Bailly

Jared DucommunSales Executive – Property & Casualty

Howalt+McDowell Marsh McLennan Agency

605-339-3874

[email protected]