cyber risk mitigation - eide bailly
TRANSCRIPT
www.eidebai l ly.com/cybersecuri ty
Cyber Risk MitigationEide Bailly
Howalt + McDowell Insurance
www.eidebai l ly.com/cybersecuri ty
Eric PulseRisk Advisory | Director
• 20 years in the public accounting and consulting industry providing information technology risk advisory and cyber security consulting services to a variety of industries
• Certifications• Certified Information Systems Auditor • Certified Information Security Manager • Certified in Risk and Information
Systems Control • GIAC Security Essentials Certification • Certified Financial Services Auditor
Introduction
Meet your presenters
2
www.eidebai l ly.com/cybersecuri ty
Karen Andersen
Risk Advisory | Manager • 20+ years of technology consulting
experience across a wide variety of industries performing cyber security assessments and risk assessments
• Karen also provides expertise in the areas of PII, eDiscovery, Data Breaches, HIPAA Assessments, Investigations, and Information Risk Assessments
• Certifications• Certified Information Security Manager
Introduction
3
www.eidebai l ly.com/cybersecuri ty
Jared Ducommun
Sales Executive, Property & Casualty• Howalt + McDowell Insurance a Marsh
McLennan Agency• 16 years of experience with Internet and
network infrastructure.
Introduction
4
www.eidebai l ly.com/cybersecuri ty
• Cyber Threat Environment• Challenges of Cyber Security• Value of Data on the Black Market• Cyber Insurance Trends• Intersection of Cyber Insurance and Risk Mitigation• Cyber Risk Mitigation• NIST Framework• It Pays to be Prepared
Agenda
5
Maybe the Biggest Challenge
Sean Parker co-founder of Napster and founding president of Facebook
This is core to the hacker mentality: We hack systems that can be hacked and leave the rest
www.eidebai l ly.com/cybersecuri ty
Cyber Challenges
Threats are fluid
“The threat is advancing quicker than we can keep up with it. The threat changes faster than our idea of the risk. It's no longer possible to write a large white paper about the risk and relative controls to a particular system. You would be rewriting the white paper constantly ..."
Adam VincentChief Technology Officer
Layer 7
7
www.eidebai l ly.com/cybersecuri ty
• Malicious software or "malware"• Distributed denial of service attacks• Data leakage• Third-party/cloud vendor risks• Mobile/web application vulnerabilities• Weaknesses in project management or change management
Types of threats
Common cyber threats to most organizations:
8
www.eidebai l ly.com/cybersecuri ty
Causes of Cyber Intrusions
Percentage of Claims by Cause of Loss• 27% Hacker• 16% Malware/Virus• 12% Lost/Stolen Device• 10% Staff Mistake• 9% Paper Records• 8% Rogue Employee• 18% All other causes
NetDiligence 2017 Cyber Claims Study
9
www.eidebai l ly.com/cybersecuri ty
• Increased due diligence• Contractual provisions requiring cyber security standards and notice
of breaches• Cyber security insurance requirement for vendors• Information sharing
Targets
Smaller companies/vendors = bigger targets
Solution
10
www.eidebai l ly.com/cybersecuri ty
What’s Your Data Worth?
Advertised Prices on the Black Market• U.S.-based credit card with verification | $1-$6• An identity (including U.S. bank account, credit
card, date of birth, and gov.-issued ID) | $14- $18• List of 29,000 emails | $5• Online bank account with $9,900 balance | $300• Phishing website hosting | $3-$5• Verified PayPal account with balance | $50-$500• Skype account | $12• One month World of Warcraft account | $10
Value to a Hacker 40M records sold for $2 per |$80M in profit
11
www.eidebai l ly.com/cybersecuri ty
Average cost of a corporate data breach – $3.62 million • U.S. FY 2017 average was $216 per record.• U.S. FY 2016 average was $225 per record
Medical information worth more than credit card data –• 10 times more.• It can’t be regenerated.• Thieves use stolen medical data to order health care equipment or drugs
then resell, submit made up claims with insurance companies, etc.
Detailed Costs
12
www.eidebai l ly.com/cybersecuri ty
• Forensic experts• Outsourcing hotline support• Providing free credit monitoring subscriptions• Discounts for future products and services• In-house investigations and communications• Extrapolated value of customer loss resulting from turnover or
diminished customer acquisition rates• Don’t forget counsel and any related litigation
Additional Costs
Direct and indirect costs incurred by the organization
13
www.eidebai l ly.com/cybersecuri ty
Walter Anders, head of Hunton & Williams’ insurance litigation and recovery practice, says that many of those who have cyber insurance discover too late that their policies are not useful.
Source: Monika Gonzalez Mesa, Daily Business Review
Cyber Insurance
Timing is everything
14
www.eidebai l ly.com/cybersecuri ty
• Roughly 80 different markets offering cyber products• Pricing for cyber insurance has trended down over the
years• Coverages have broadened• Integrated resource enhancement with coverages• Increased underwriting scrutiny• Cyber is not standardized• Legal precedence is still being set
Cyber Insurance
Recent Trends
15
www.eidebai l ly.com/cybersecuri ty
• Personally identifiable information• Social Security numbers• Banking information• Driver’s license• Motor vehicle records• Health histories/information
• Credit card information (PCI)• Have network access to others (or if someone had access to yours)
Cyber Insurance
Who needs coverage?Everyone needs to have cyber insurance but here are some of the main exposures with the largest risks:Companies that have:
16
www.eidebai l ly.com/cybersecuri ty
• Assets• Business interruption• Privacy liability• Network liability
Common Gaps in Traditional Policies
General Overview:
17
www.eidebai l ly.com/cybersecuri ty
Liability to a third party as a result of:• Destruction of a third party’s electronic data• Your network's participation in denial-of-service
attacks• Transmission of viruses to third-party computer
systems
Key Insurance Coverages
Network Security Liability:
18
www.eidebai l ly.com/cybersecuri ty
Liability to a third party as a result of:• Unauthorized disclosure of personally identifiable
information• Unauthorized disclosure of third-party confidential
information in your care, custody or control• Defense against regulatory actions
Key Insurance Coverages
Data Privacy Liability:
19
www.eidebai l ly.com/cybersecuri ty
Expenses to respond to a personal data breach event including:
• Computer forensic costs• Notification cost including call center costs• Credit monitoring and identity theft protection costs• Public relations and crisis management consultancy
costs
Key Insurance Coverages
Crisis Management:
20
www.eidebai l ly.com/cybersecuri ty
Expenses to respond to a personal data breach event including:
• Computer forensic costs• Notification costs including call center costs• Credit monitoring and identity theft protection costs• Public relations and crisis management consultancy
costs
Key Insurance Coverages
Cyber Extortion:
21
www.eidebai l ly.com/cybersecuri ty
The interruption or suspension of computer systems resulting in:
• Your potential loss of income• Extra expense incurred to mitigate an income loss
resulting from:• A network security breach• A network failure
Key Insurance Coverages
Network Business Interruption:
22
www.eidebai l ly.com/cybersecuri ty
The corruption or destruction of data or computer programs incurs:
• Replacement, restoration, or rectification costs• Costs to determine that data or programs cannot be
replaced
Key Insurance Coverages
Data Asset Protection:
23
www.eidebai l ly.com/cybersecuri ty
Liability arising from online and offline content stemming from:
• Infringement of intellectual property rights• Invasion of privacy• Defamation• Negligent publication or misrepresentation
Key Insurance Coverages
Multimedia Liability:
24
www.eidebai l ly.com/cybersecuri ty
• A scheme that intentional mislead an employee intosending money or diverting a payment based onfraudulent information.• Written, verbal communication
Key Insurance Coverages
Social Engineering (Deceptive Transfer)
25
www.eidebai l ly.com/cybersecuri ty
Cyber Loss Impact
Cyber Loss Impact
26
www.eidebai l ly.com/cybersecuri ty
0 10 20 30 40 50 60 70
Services
Retail/Wholesale
Power and Utilities
Manufacturing
Hospitality and Gaming
Health Care
Institutions
Education
Communication, Media and Tech
All Industries
Marsh Clients
Trends and Risk Mitigation
2015 Cyber Insurance Growth Rates by Industry
27
www.eidebai l ly.com/cybersecuri ty
• Dedicated information security resources• Evaluate potential risk• Identify what you are trying to protect – what types of data• Defined information security policies and procedures• Employee education• Incident response plan• Security measures• Vendor management
Where to start
Underwriters are interested in the following:
28
www.eidebai l ly.com/cybersecuri ty
Functions Being OutsourcedPayrollAccounting/TaxEmployee benefits administrationAuditsCredit card processingInformation technology
Cyber Security Risk
How Secure are Your Third-Party Partners?
29
www.eidebai l ly.com/cybersecuri ty
First Steps – Get Your Bearings
1. Access Control2. Audit and Accountability3. Configuration Management4. Contingency Planning5. Incident Response
6. IT Security Planning7. Mobile Device Management8. Physical Security9. Risk Management10. System Operations
Scope of Cyber Security Assessment
30
www.eidebai l ly.com/cybersecuri ty
• No one is immune• Operation resiliency/redundancy• Employees – continual training and communication• Practice – incident response plan and testing• Response metrics – detection to action to resolution• Support and forensic firms
Basics to consider cyber readiness
Evaluation of your internal readiness and understandings
31
www.eidebai l ly.com/cybersecuri ty
Identify
Protect
DetectRespond
Recover
Security StandardsNational Institute of Standards & Technology (NIST) Cyber Security Framework
32
www.eidebai l ly.com/cybersecuri ty
Cyber Risk Management• Set the tone from the top.• Identify, measure, mitigate and monitor
risks.• Develop risk management processes
commensurate with your institution's level of risk and complexity.
• Align IT strategy with business strategy and account for how risks will be managed both now and in the future.
• Create a governance process to ensure ongoing awareness and accountability.
• Ensure reports to you and your board are meaningful and timely with metrics on the institution's vulnerability to cyber risks and potential business impacts.
33
www.eidebai l ly.com/cybersecuri ty
Less than half of surveyed companies require security awareness training for all employees
Just under one-third of respondents said that their organization required higher level executives (CEOs and C-Level) to participate
Source = 2016 Experian Data Breach Resolution and Ponemon Institute Report
Mitigating Cyber Risk
Security Awareness Training
34
www.eidebai l ly.com/cybersecuri ty
• National Cyber Security Alliance found that 1 in 5 smallbusinesses fall victim to cyber crime.
• 60% of those businesses go out of business within sixmonths. (Victor O Schinnerer & Co.)
• A firewall or router from your IT vendor protects generic antivirusand malware attacks.
• General liability policies lack flexibility to address new andemerging cyber breaches.
• The cyber world is continuing to evolve. Many carriers arechanging coverages yearly.
Common Cyber Insurance Objections
An estimated two-thirds of businesses are without cyber insurance:
35
www.eidebai l ly.com/cybersecuri ty
• Understand your network and possible infrastructure challenges.• Training your business team on cyber threats through email,
website, and social media.• Work with your insurance professionals for policy guidance.• Consult with companies that understand business challenges prior
to cyber issues and after a threat has occurred.
Final Thoughts
Summary
36
Karen Andersen612.253.6638
www.eidebai l ly.com/cybersecuri ty
Eric Pulse605.997.4847
Jared DucommunSales Executive – Property & Casualty
Howalt+McDowell Marsh McLennan Agency
605-339-3874