Cyber Risk Mitigation Eide Bailly Howalt + McDowell Insurance
Introduction Meet your presenters Eric Pulse Risk Advisory Director 20 years in the public accounting and consulting industry providing information technology risk advisory and cyber security consulting services to a variety of industries Certifications Certified Information Systems Auditor Certified Information Security Manager Certified in Risk and Information Systems Control GIAC Security Essentials Certification Certified Financial Services Auditor 2
Introduction Karen Andersen Risk Advisory Manager 20+ years of technology consulting experience across a wide variety of industries performing cyber security assessments and risk assessments Karen also provides expertise in the areas of PII, ediscovery, Data Breaches, HIPAA Assessments, Investigations, and Information Risk Assessments Certifications Certified Information Security Manager 3
Introduction Jared Ducommun Sales Executive, Property & Casualty Howalt + McDowell Insurance a Marsh McLennan Agency 16 years of experience with Internet and network infrastructure. 4
Agenda Cyber Threat Environment Challenges of Cyber Security Value of Data on the Black Market Cyber Insurance Trends Intersection of Cyber Insurance and Risk Mitigation Cyber Risk Mitigation NIST Framework It Pays to be Prepared 5
Maybe the Biggest Challenge This is core to the hacker mentality: We hack systems that can be hacked and leave the rest Sean Parker co-founder of Napster and founding president of Facebook
Cyber Challenges Threats are fluid The threat is advancing quicker than we can keep up with it. The threat changes faster than our idea of the risk. It's no longer possible to write a large white paper about the risk and relative controls to a particular system. You would be rewriting the white paper constantly..." Adam Vincent Chief Technology Officer Layer 7 7
Types of threats Common cyber threats to most organizations: Malicious software or "malware" Distributed denial of service attacks Data leakage Third-party/cloud vendor risks Mobile/web application vulnerabilities Weaknesses in project management or change management 8
Causes of Cyber Intrusions Percentage of Claims by Cause of Loss 27% Hacker 16% 12% 10% 9% 8% 18% Malware/Virus Lost/Stolen Device Staff Mistake Paper Records Rogue Employee All other causes NetDiligence 2017 Cyber Claims Study 9
Targets Smaller companies/vendors = bigger targets Solution Increased due diligence Contractual provisions requiring cyber security standards and notice of breaches Cyber security insurance requirement for vendors Information sharing 10
What s Your Data Worth? Advertised Prices on the Black Market U.S.-based credit card with verification $1-$6 An identity (including U.S. bank account, credit card, date of birth, and gov.-issued ID) $14- $18 List of 29,000 emails $5 Online bank account with $9,900 balance $300 Phishing website hosting $3-$5 Verified PayPal account with balance $50-$500 Skype account $12 One month World of Warcraft account $10 Value to a Hacker 40M records sold for $2 per $80M in profit 11
Detailed Costs Average cost of a corporate data breach $3.62 million U.S. FY 2017 average was $216 per record. U.S. FY 2016 average was $225 per record Medical information worth more than credit card data 10 times more. It can t be regenerated. Thieves use stolen medical data to order health care equipment or drugs then resell, submit made up claims with insurance companies, etc. 12
Additional Costs Direct and indirect costs incurred by the organization Forensic experts Outsourcing hotline support Providing free credit monitoring subscriptions Discounts for future products and services In-house investigations and communications Extrapolated value of customer loss resulting from turnover or diminished customer acquisition rates Don t forget counsel and any related litigation 13
Cyber Insurance Timing is everything Walter Anders, head of Hunton & Williams insurance litigation and recovery practice, says that many of those who have cyber insurance discover too late that their policies are not useful. Source: Monika Gonzalez Mesa, Daily Business Review 14
Cyber Insurance Recent Trends Roughly 80 different markets offering cyber products Pricing for cyber insurance has trended down over the years Coverages have broadened Integrated resource enhancement with coverages Increased underwriting scrutiny Cyber is not standardized Legal precedence is still being set 15
Cyber Insurance Who needs coverage? Everyone needs to have cyber insurance but here are some of the main exposures with the largest risks: Companies that have: Personally identifiable information Social Security numbers Banking information Driver s license Motor vehicle records Health histories/information Credit card information (PCI) Have network access to others (or if someone had access to yours) 16
Common Gaps in Traditional Policies General Overview: Assets Business interruption Privacy liability Network liability 17
Key Insurance Coverages Network Security Liability: Liability to a third party as a result of: Destruction of a third party s electronic data Your network's participation in denial-of-service attacks Transmission of viruses to third-party computer systems 18
Key Insurance Coverages Data Privacy Liability: Liability to a third party as a result of: Unauthorized disclosure of personally identifiable information Unauthorized disclosure of third-party confidential information in your care, custody or control Defense against regulatory actions 19
Key Insurance Coverages Crisis Management: Expenses to respond to a personal data breach event including: Computer forensic costs Notification cost including call center costs Credit monitoring and identity theft protection costs Public relations and crisis management consultancy costs 20
Key Insurance Coverages Cyber Extortion: Expenses to respond to a personal data breach event including: Computer forensic costs Notification costs including call center costs Credit monitoring and identity theft protection costs Public relations and crisis management consultancy costs 21
Key Insurance Coverages Network Business Interruption: The interruption or suspension of computer systems resulting in: Your potential loss of income Extra expense incurred to mitigate an income loss resulting from: A network security breach A network failure 22
Key Insurance Coverages Data Asset Protection: The corruption or destruction of data or computer programs incurs: Replacement, restoration, or rectification costs Costs to determine that data or programs cannot be replaced 23
Key Insurance Coverages Multimedia Liability: Liability arising from online and offline content stemming from: Infringement of intellectual property rights Invasion of privacy Defamation Negligent publication or misrepresentation 24
Key Insurance Coverages Social Engineering (Deceptive Transfer) A scheme that intentional mislead an employee into sending money or diverting a payment based on fraudulent information. Written, verbal communication 25
Cyber Loss Impact Cyber Loss Impact 26
Trends and Risk Mitigation All Industries Communication, Media and Tech Education Institutions Health Care Hospitality and Gaming Manufacturing Power and Utilities Retail/Wholesale Services 2015 Cyber Insurance Growth Rates by Industry Marsh Clients 0 10 20 30 40 50 60 70 27
Where to start Underwriters are interested in the following: Dedicated information security resources Evaluate potential risk Identify what you are trying to protect what types of data Defined information security policies and procedures Employee education Incident response plan Security measures Vendor management 28
Cyber Security Risk How Secure are Your Third-Party Partners? Functions Being Outsourced Payroll Accounting/Tax Employee benefits administration Audits Credit card processing Information technology 29
First Steps Get Your Bearings Scope of Cyber Security Assessment 1. Access Control 2. Audit and Accountability 3. Configuration Management 4. Contingency Planning 5. Incident Response 6. IT Security Planning 7. Mobile Device Management 8. Physical Security 9. Risk Management 10. System Operations 30
Basics to consider cyber readiness Evaluation of your internal readiness and understandings No one is immune Operation resiliency/redundancy Employees continual training and communication Practice incident response plan and testing Response metrics detection to action to resolution Support and forensic firms 31
Security Standards National Institute of Standards & Technology (NIST) Cyber Security Framework Identify Recover Protect Respond Detect 32
Cyber Risk Management Set the tone from the top. Identify, measure, mitigate and monitor risks. Develop risk management processes commensurate with your institution's level of risk and complexity. Align IT strategy with business strategy and account for how risks will be managed both now and in the future. Create a governance process to ensure ongoing awareness and accountability. Ensure reports to you and your board are meaningful and timely with metrics on the institution's vulnerability to cyber risks and potential business impacts. 33
Mitigating Cyber Risk Security Awareness Training Less than half of surveyed companies require security awareness training for all employees Just under one-third of respondents said that their organization required higher level executives (CEOs and C-Level) to participate Source = 2016 Experian Data Breach Resolution and Ponemon Institute Report 34
Common Cyber Insurance Objections An estimated two-thirds of businesses are without cyber insurance: National Cyber Security Alliance found that 1 in 5 small businesses fall victim to cyber crime. 60% of those businesses go out of business within six months. (Victor O Schinnerer & Co.) A firewall or router from your IT vendor protects generic antivirus and malware attacks. General liability policies lack flexibility to address new and emerging cyber breaches. The cyber world is continuing to evolve. Many carriers are changing coverages yearly. 35
Final Thoughts Summary Understand your network and possible infrastructure challenges. Training your business team on cyber threats through email, website, and social media. Work with your insurance professionals for policy guidance. Consult with companies that understand business challenges prior to cyber issues and after a threat has occurred. 36
Eric Pulse 605.997.4847 epulse@eidebailly.com Karen Andersen 612.253.6638 kdandersen@eidebailly.com
Jared Ducommun Sales Executive Property & Casualty Howalt+McDowell Marsh McLennan Agency 605-339-3874 Jared.Ducommun@marshmma.com