You ve been hacked Riekie Gordon & Roger Truebody & Alexandra Schudel
Why should you care? U$4.6 - U$121 billion - Lloyds U$45 billion not covered 2
The plot thickens 2016 Barkly Survey: It s a business model that works and you don t need a lot of investment to 33% of IT professionals hacked 52% not planning security changes actually get a decent return, Tim Wellsmore, of Fireeye, a network security company 3
Why should you care? EMAIL SYSTEM DATA LOSS EMPLOYEES REPUTATIONAL DAMAGE SUPPLIERS & PARTNERS BUSINESS INTERRUPTION 4
AGENDA 1. Cyber drivers 2. Dealing with it 3. Integration 4. Transfer 5
Cyber drivers: If you only remembered five things! 1. Introduced by connected technology, impact is primarily experienced at a business level 2. This is a pervasive risk, dealt with via programmes, not projects. 3. Management oversees risk, monitoring relevant policies and procedures, plays a significant strategic role in overseeing and interrogating response to the cyber threat. 4. Management is including cyber risk as a regular agenda item (often as a Top 5 risk ), are mandating sub-committee s (e.g. Risk, Audit)- to oversee management and response to this risk. 5. Management need to understand the defensive value chain and the link it to other macro business developments. refer to the impact factors of a cyber attack. 6
Cyber drivers: Tools, tactics & procedures Social engineering Password theft Ransomware & doxxing Evasion tactics Website compromise Exploits DDoS Botnets Phishing 7
Cyber drivers: Threat vectors Understanding your threat landscape is the start Employees Smart devices Email Suppliers & partners Mobile devices Customers 8
Reality check: Examples What do you stand to lose? Lawsuits total $1 billion. Website compromise?? Password theft R300 million ($19 million) from ATMs Social engineering Employees Target CEO & head of technology fired Employees Password theft 9
Cyber drivers: Accountability Board level obligation to extend due care (King IV report) Personal executive accountability Considerations: Measuring and managing it Confidentiality and regulatory frameworks Brand, reputation and market perception Security as a market differentiator Diffusion of commercial benefit 10
Reality check: Examples How were the Gupta emails leaked? 11
Dealing with it 10 Key questions 1. Do we demonstrate effective management of cyber risk? 2. Do we have the right leader and talent? 3. Do we have appropriate cyber risk escalation frameworks, risk appetite, and reporting thresholds? 4. Do we focused on, and invest in the right things? If so, we evaluate and measure the results of our decisions? 5. How do our cyber risk programmes and capabilities align to our peers? 6. Do we have a cyber-focused culture, organisation wide? 7. What have we done to protect the organisation against third-party cyber risks? 8. Can we rapidly contain damages and mobilise response resources when a cyber incident occurs? 9. How do we evaluate the effectiveness of our organisation s cyber risk programme? 10. Are we a strong and secure link in the highly connected ecosystems in which we operate? Refer to Assessing cyber risk - Critical questions for the Board and C-suite. 12
Dealing with it In our response/approach, how have we considered: Who might attack What are they after Possible tactics Action plan Cyber program & governance 13
Dealing with it Risk Management driven CYBER SECURITY, MEANS THAT Risk exposure dictates the allocation of budget and effort Integrate cyber strategy with business strategy Protecting the heart of the business, critical operations Identify and protect your crown jewels, data Don t allow gaps to leave you exposed Develop a strong cybersecurity framework Nonnegotiable areas to fortify Security starts at the top: Put a senior executive at the helm 14
Dealing with it Managing cyber risks: Secure Vigilant Resilient Your actual defences against an attack, including everything from cybersecurity strategies to policies and procedures to systems and controls. Your early warning systems, which enable you to identify potential threats before they hit, and to quickly detect attacks and breaches as they occur. Your ability to respond quickly to attacks, and to bounce back quickly with minimal impact on your organisation, reputation and brand. Action plan 15
Bullet Dash Sub-bullet Integration Risk/ ORSA policy Processes & procedures Risk Appetite SAM / ERM framework Reporting structures Measuring / quantifying Risk Register 16
The Insurance Involvement Risk Management/ Simulations/ Environment Analysis Broker/ Benchmark Insurer - Incident Response Platform 17
Cyber event: the first 24 hours 1. Pre Event: risk profile analysis and landscape analysis Type of attack Pre-defined strategy 2. Pre-Event: artefact collection digital footprint What information do we have? Where is it? Pathways? What was clearly affected? 3. Event: analysis of actual incident Define strategy 18
Incident Response Network IT Forensics Public Relations First notification of loss Extortion Incident manager Regulatory Notification Legal Identity protection Public Notification 19
The Coverage Privacy Liability Wrongful disclosure of personal & corporate information Defence Expenses Legal Liability Regulatory Defence Expenses Privacy Related Fines/Penalties 20
The Coverage Security Liability Failure to deter a Computer Malicious act Defence Expenses Legal Liability Regulatory Defence Expenses Privacy Related Fines/Penalties 21
The Coverage Incident Response costs Incident Management, Forensic Investigation, Notification, Fraud Remediation, Legal Consultation, Public Relations, 22
The Coverage Electronic Media Content Internet media liability Defence Expenses & Legal liability for: IPR infringement Defamation/Libel/Slander Negligence 23
The Coverage Cyber Extortion Expense & Extortion payments arising from threats to exploit vulnerabilities or release information - Ransomware 24
The Coverage Business Income Loss and Recovery Costs arising from network outage BUSINESS INTERRUPTION & DATA ASSET LOSS 25
The Coverage BUSINESS INTERRUPTION & Recovery Costs to deal with loss/corruption of data DATA ASSET LOSS 26
The Coverage Caused by Computer Malicious Acts Malware & Hacking Unauthorised Use or Access Programming/ Human Error Power Failure BUSINESS INTERRUPTION & DATA ASSET LOSS 27
Claims examples: Ransomware Car components manufacturing company Malicious link Malware, encrypting information Demand R100,000 Incident response manager IT forensic investigator Determine whether the company can avoid paying the ransom Network Security Liability Failure of insured s network security Cyber Extortion: Costs addressing threats unless extortion monies are paid. Information technology consultant fees Incident Response Expenses Forensic investigation costs Legal consultation fees Incident Response Manager fees Data Asset Loss Costs of replacing lost/ corrupt data 28
Claims examples: Disparagement via email Media Liability: Internal email containing negative comments regarding a service provider Forwarded internally and eventually sent externally The email is seen by the service provider Defamation lawsuit for harming the service provider s reputation Third party claims arising from Insured s Internet media activities. Wrongful Acts include product defamation, disparagement, trade, libel, false light, plagiarism. Defence and settlement costs for claims from service provider. Incident Response Expenses Crisis communication services Public relations expert fees to minimise reputational impact Incident response manager fees 29
Claims count by trigger Hack 30% Human error 18% Lost/Stolen devices 15% Rogue Employees 12% Unknown 12% Privacy Policy 6% Paper 5% Software Error 2% 30
Claims count by industry Healthcare 31% Professional Services 15% Technology 10% Retail 8% Financial Institutions 8% Education 7% Travel & Hospitality 6% 31
Cyber Claims and Industry Trends Triggers by Industry Segment Healthcare 25% 25% 20% 15% 10% 7% 18% 21% 10% Financial Institutions 37% 40% 5% 30% 19% 0% Hack Rogue Employee Lost/Stolen Devices Human Error Privacy Policy 20% 10% 7% 13% 6% 0% Hack Rogue Employee Lost/Stolen Devices Human Error Privacy Policy 32
Cyber Claims and Industry Trends Triggers by Industry Segment Public Entity 80% 64% 60% 40% 20% 0% 7% 11% 7% Hack Paper Human Error Unknown 12% Privacy Policy 30% 25% 20% 15% 10% Professional Services 23% 10% 26% 20% 5% 5% 0% Hack Rogue Employee Lost/Stolen Devices Human Error Privacy Policy 33
What is not covered? Deliberate fraud/ dishonesty (final adjudication) Rogue Employees covered Bodily Injury or Property Damage Internet service provider hosting your website (unless under your control) Acts of war Cyber Terrorism is covered Unauthorised collection of Personal Data unintentional is covered Equipment/ hardware 34
Considerations Capacity available in the market What limit is appropriate Quantification Follow on D&O claims Complex to understand fear of IT 35
Considerations cont. Condition Precedent language beware Systemic breaches a possibility Scale of losses for insurance market What is needed to quote 36
According to PwC s report Global Economic Crime Survey 2016, 32% of South African organisations have experienced cybercrime, and it is the fourth most reported type of economic crime in the country, and second internationally. 37
Why should you care? Take it seriously 38
So what Do you understand your risk? How much exposure do you have? Do you need to change controls or be more pro-active about training or cyber-watch? The risk is not going away, are you prepared? 39