new a.m. best cyber questionnaire pamic western conference october 2015
TRANSCRIPT
New A.M. Best Cyber QuestionnairePAMIC Western Conference
October 2015
Agenda
2
Questions The A.M. Best Cyber Risk Questions Cybersecurity Framework Guiding Principles for Boards
Cyber Security vs Information Security
Cyber Security is the use of various technologies and processes to protect networks, computers, programs and data from attack, damage or unauthorized access.
Information Security is protecting information from unauthorized access, use, disruption, modification or destruction regardless of how the information is stored – electronic or physical
4
Footer text replaced in Header/Footer area
Content of the Questionnaire
January 01, 2015 5
Cyber Risks Coverage offered
Privacy (HIPAA) violations Credit monitoring costs Cloud technologies and exposures General liability exposures
Coverage Obtained Business interruption exposures D & O risks Reconstruction costs Reputation risks
6
Information from A.M. Best Presentation*
A.M Best Survey Results Show Only 3% of companies surveyed have written over 1000 cyber risk policies Companies with larger surplus positions have experienced more cyber attacks, but
size does not eliminate risk 72% of companies report responsibility for cyber-security rests with IT Department. Most significant challenges reported by management is lack of data and
consequent oriented analytics
*A.M. Best Insurance Industry Update, IASA NY/NJ Chapter, Robert Raber, Senior Financial Analyst, A.M. Best Company, May 18, 2015
7
Information from A.M. Best Presentation*, Continued
A.M. Best added specific questions to the Supplemental Rating Questionnaire and analysts are including cyber coverage in rating meeting discussions A.M. Best Special Report “Cyber Security Presents Challenging Landscape for
Insurers and Insureds”, December 5, 2014
8
Cyber Questions Has your company been a target of a data breach/cyber-attack?
Where does the responsibility lie in your organization to manage cyber related risks?
What controls do you have in place?
Do you offer coverage as a separate policy or bundled?
What are your premium and loss expectations?
What are your costs for Crisis Services (forensics, notification)?
What is your legal defense cost?
9
Other Questions Asked What controls (internal and external) do you have in place to manage a data breach /
cyber attack (policies and procedures)? How often to you conduct penetration testing? How often do the company’s cyber security professionals receive training? During the past five years, how much have you invested in upgrading systems
(hardware and software)? How much of such investment was specifically dedicated to preventive measures on
cyber attacks and data breaches? How much are you planning to invest during the next two years? If you use TPA’s, cloud, shared devices (storage or otherwise) how are you managing
your risks? Briefly describe your efforts to ensure up to date “best practices” and latest
preventative methods are used.
Framework for Improving Critical Infrastructure Cybersecurity
Identify
Protect
DetectRespond
Recover
National Institute of Standards and Technology (NIST) Framework
Five Principles – Boards seeking to enhance oversight of cyber risks
I. Cybersecurity is an Enterprise Risk Management issue: Not just an Information Technology issue
II. Boards should understand the legal implications of cyber risks
III. Boards should access cybersecurity expertise and discuss regularly – standing agenda item
IV. Board should set expectation that management establish an ERM framework with adequate staffing & budget
V. Board & Management discussion of cyber risk strategies - avoidance, acceptance, mitigation or transfer – with specific plans
National Association of Corporate Directors + AIG + Internet Security Alliance, Five Guiding Principles
12
Contact Information
Lisa Cosentino, CPA, CIA, CFE, FLMI
Managing Director
Cell 215.300.7361
Office 267.670.7320