Cybersecurity Insurance: New Risks and New Challenges

Similar documents
Cybersecurity Insurance: The Catalyst We've Been Waiting For

Whitepaper: Cyber Liability Insurance Overview

2016 Risk Practices Survey

An Overview of Cyber Insurance at AIG

The working roundtable was conducted through two interdisciplinary panel sessions:

Cyber Risk Mitigation

A FRAMEWORK FOR MANAGING CYBER RISK APRIL 2015

Cyber Insurance I don t think it means what you think it means

Cyber-Insurance: Fraud, Waste or Abuse?

HEALTHCARE INDUSTRY SESSION CYBER IND 011

The Internet of Everything: Building Cyber Resilience in a Connected World

You ve been hacked. Riekie Gordon & Roger Truebody & Alexandra Schudel. Actuarial Society 2017 Convention October 2017

CYBERSECURITY AND PRIVACY: REDUCING YOUR COMPANY S LEGAL RISK. By: Andrew Serwin

Cyber Incident Response When You Didn t Have a Plan

Surprisingly, only 40 percent of small and medium-sized enterprises (SMEs) believe their

S L tr lo a y t d egy s Cyber -Attack

Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data

CYBER LIABILITY INSURANCE OVERVIEW FOR. Prepared by: Evan Taylor NFP

Cyber Risk Enlightenment through information risk management

Solving Cyber Risk. Security Metrics and Insurance. Jason Christopher March 2017

How to mitigate risks, liabilities and costs of data breach of health information by third parties

Crossing the Breach. It won t happen to us

CYBER LIABILITY INSURANCE MARKET TRENDS: SURVEY

Why CISOs Should Embrace Their Cyber Insurer

Enhanced Cyber Risk Management Standards. Advance Notice of Proposed Rulemaking

At the Heart of Cyber Risk Mitigation

DEBUNKING MYTHS FOR CYBER INSURANCE

Cybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know and Do

2015 EMEA Cyber Impact Report

Cyber Security Liability:

Cyber Risks A Reinsurer s Perspective on Exposure & Claims. EMEA Claims Conference 2018, Rüschlikon, 6th 7th March, Anthony Cordonnier

OECD PROJECT ON CYBER RISK INSURANCE

Insuring your online world, even when you re offline. Masterpiece Cyber Protection

Fraud Investigation & Dispute Services Corporate misconduct individual consequences

Strategic Security Management: Risk Assessments in the Environment of Care. Karim H. Vellani, CPP, CSC

ACTIVE SHOOTER COVERAGE:

Cyber Risk Quantification: Translating technical risks into business terms

Vaco Cyber Security Panel

Unlocking Value of Professional Liability Insurance. Gary Chua. 27 May 2009

Your defence toolkit. How to combat the cyber threat

Trends in the Commercial Space Sector

Cyber Security & Insurance Solution Karachi, Pakistan

Key Themes. Organizational Dynamics and Effective Risk Management. Organizational Alignment. Risk Management Effectiveness

Equifax Data Breach: Your Vital Next Steps

7 STEPS TO BUILD A GRC FRAMEWORK FOR BUSINESS RISK MANAGEMENT BUSINESS-DRIVEN SECURITY SOLUTIONS

Evaluating Your Company s Data Protection & Recovery Plan

2018 Small Business Risk Report

Healthcare Data Breaches: Handle with Care.

Protecting Against the High Cost of Cyberfraud

Cyber Risks & Cyber Insurance

Helping Asset Management Firms in Hong Kong Face Regulatory and Operational Challenges

JAMES GRAY SPECIAL GUEST 6/7/2017. Underwriter, London UK Specialty Treaty Beazley Group

Cyber COPE. Transforming Cyber Underwriting by Russ Cohen

Have you Joined the Profitability Revolution? Driving Cost Reduction in Insurance

CAPITAL WORKPAPERS TO PREPARED DIRECT TESTIMONY OF GAVIN H. WORDEN ON BEHALF OF SOUTHERN CALIFORNIA GAS COMPANY BEFORE THE PUBLIC UTILITIES COMMISSION

IT Risk in Credit Unions - Thematic Review Findings

Cyber Liability State of the Insurance Market & Risk Update Sept 8, ISACA North Texas

Privacy and Data Breach Protection Modular application form

Cyber Insurance for Lawyers

HITRUST Third Party Assurance (TPA) Risk Triage Methodology

Blockchain: A true disruptor for the energy industry Use cases and strategic questions

CYBER CRIME: THE ACHILLES HEEL OF THE BUSINESS WORLD

Cyber, Data Risk and Media Insurance Application form

2017 Cyber Security and Data Privacy Study

Construction. Industry Advisor. Fall Year end tax planning for construction companies. How to self-insure your construction business

Cyber Risk & Insurance

Allocating Risk for Privacy and Data Security in Commercial Contracts and Related Insurance Implications

The Wild West Meets the Future: Key Tips for Maximizing Your Cyber and Privacy Insurance Coverage

T A B L E of C O N T E N T S

Crawford & Company (Canada) Inc. Cyber Loss Management Program

Cyber & Privacy Liability and Technology E&0

PRIVACY AND CYBER SECURITY

EXCELLENCE IN RISK MANAGEMENT XIII Emerging Risks: Anticipating Threats and Opportunities Around the Corner

Cover title 26/29 Risk appetite gains momentum 45 light white in a changing world

Cyber Risk. October 2017

SECURITY INCIDENT RESPONSE PEACE OF MIND IN A CHANGING WORLD

BUSINESS-DRIVEN S E C U R I T Y

Cyberinsurance: Necessary, Expensive and Confusing as Hell. Presenters: Sharon Nelson and Judy Selby

ENTERPRISE RISK MANAGEMENT Mumbai 10 Aug 2018

A GUIDE TO CYBER RISKS COVER

Innovation and the Future of Tax

Crawford & Company (Canada) Inc. Cyber Loss Management Program

Bank of America Merrill Lynch Future of Financials Conference 2018

Small business, big risk: Lack of cyber insurance is a serious threat

Does it pay to be cyber-insured

Port Jefferson Union Free School District. Annual Risk Assessment Update Pertaining to the Internal Controls Of District Operations.

ChicagoLand RIMS Cyber Insurance Coverage Pitfalls and How to Avoid Them

Overcoming Enterprise Disruptions

CYBER LIABILITY INSURANCE MARKET TRENDS: SURVEY. October Sponsored by:

HEALTHCARE BREACH TRIAGE

Risk Management in the Hospitality Industry:

Principal risks and uncertainties

Banking Title Application Fraud: The Enemy at the Gates

Largest Risk for Public Pension Plans (Other Than Funding) Cybersecurity

I nsurance brokers and investment banks have at

No More Snake Oil: Why InfoSec Needs Security Guarantees

Re: Proposed Cybersecurity Requirements for Financial Services Companies DFS P

Get Smarter. Data Analytics in the Canadian Life Insurance Industry. Introduction. Highlights. Financial Services & Insurance White Paper

Testimony. Submitted for the Record. American Bankers Association. Financial Institutions and Consumer Credit Subcommittee

CYBER INSURANCE. Tel No: E Riley Road, Riley Road Office Park, Bedfordview, Gauteng, 2008

Transcription:

SESSION ID: SDS1-F01 Cybersecurity Insurance: New Risks and New Challenges Mark Weatherford Chief Cybersecurity Strategist varmour @marktw

The cybersecurity market in the Asia Pacific region contributes 17.21 percent of the global market and will grow to 21.16 percent by 2019.* *MicroMarketMonitor Organizations in the Asia-Pacific region were forecast to spend $230 billion to deal with cybersecurity breaches in 2014 the highest amount for any region in the world.* *International Data Corporation (IDC) and the National University of Singapore survey, as reported in Marsh s Cybercrime in Asia 2014 report. 2

Agenda Insurance challenges in the market today 10 reasons to invest in cyber insurance Cyber risk assessment tools and services 10 key coverage items So, why is insurance a catalyst for security? Predictions - the future of cybersecurity insurance 3

Cybersecurity insurance challenges Covered losses and expenses A static underwriting process for a dynamic risk Risk aggregation is global, not local Limited capacity Pricing risk still more art than science! Most companies have yet to commit to buying. 4

Covered losses Two basic categories: First-party losses - direct losses to the company that was breached. Third-party losses - the costs imposed on related third parties such as partners, vendors, or customers, as a result of the breach. 5

Typically covered expenses Notification expenses Credit monitoring Legal costs Forensics Public relations Business interruption Regulatory fines 6

Insurance is a traditionally static business Historically, insurance assessments have been based on a snapshot in time through the completion of a written questionnaire, a telephone interview, or a presentation. This static approach doesn t work in the cybersecurity market, where the threat and vulnerability landscape changes daily. Insurers today are investing in, and partnering with, the security industry to develop and use risk tools and intelligence to predict and monitor the environment in real time. 7

Aggregation of risk Aggregation refers to the consequences of concentrated and cascading cyber risks where key aggregation attributes such as internet failure, compromised service providers, or a number of companies in the same (or different) sectors using the same IT system where something happens to that system and affects all of the companies in that industry. As cloud computing becomes more ubiquitous, one successful attack or the failure of a cloud host could cause losses to hundreds of thousands of parties who hold their data within the cloud. 8

Limited capacity Capacity refers to the supply of insurance available to meet market demand and depends on the financial ability to accept risk. For an individual insurer, capacity is the maximum amount of risk it can underwrite based on its financial condition. The cybersecurity insurance market only dates back to 1998 so very little actuarial actuarial data exists, which means capacity is still growing. As the cyber insurance market capacity grows, more meaningful limits will develop as loss data accumulates and risk modeling matures. Asia accounts for about 28% of the global (total) insurance market today but premiums are expected to double by 2020.* *Ms. Jacqueline Loh, Deputy Managing Director, Monetary Authority of Singapore 9

How do insurers price risk? A lack of sufficient metrics with respect to frequency and severity of loss, specifically with Personally Identifiable Information (PII) and Protected Health Information (PHI) assets, and physical destruction as a result of cyber events makes pricing risk a challenge. Fundamentally, insurers look for a strong security culture within the company as a first step in risk triage. Additional factors such as industry, revenue size, geography, and actual assets at risk contribute to how risk is priced. The evolving nature of cyber-threats (DDoS, APT, Ransomware) and the IT environment (virtualization, the Internet of Things, and the Cloud), compounds the problem of developing accurate actuarial data. 10

10 reasons to invest in cyber insurance 1. Changing threat landscape 2. Governance and an enterprise-wide risk management strategy 3. Increasing regulatory risk 4. Financial incentive 5. Vicarious risk to vendors, business associates 6. Insider threat 7. Compliance does not equal security 8. Monetizing the cost of cybersecurity 9. M&A activity 10. Operational technology 12

10 reasons to invest in cyber insurance 1. Dynamic threat landscape and growing number of adversaries Private sector companies are out-matched in their ability to combat cyberattacks from nation states, global criminals and malicious insiders. In no other arena are private companies expected to do battle with: 13

10 reasons to invest in cyber insurance 2. Governance and an enterprise-wide risk management strategy Cybersecurity has become a significant concern for international Boards of Directors and they are increasingly looking at cybersecurity insurance as a financial instrument for transferring risk. Cybersecurity involves the entire enterprise, including stakeholder domains outside the IT department. Driving a culture of collaboration between stakeholders is challenging, but the underwriting process can be the catalyst for better security throughout the organization. 14

10 reasons to invest in cyber insurance 3. Increasing regulatory risk Board of Director liability is resulting in new focus on cybersecurity governance on the international stage. In the United States, the Security & Exchange Commission guidance highlights that regulators see cybersecurity insurance as part of a strong enterprise risk management strategy. Between 2010 and 2015, the number of jurisdictions with comprehensive European-style data protection regulatory regimes more than doubled from five to eleven, with new regimes coming into force in India, Malaysia, the Philippines, Singapore, South Korea and Taiwan.* * http://www.conventuslaw.com/report/2016-data-protection-and-cyber-security-regulation/ 15

10 reasons to invest in cyber insurance 4. Incentives Government officials are beginning to give greater legitimacy to the role of cybersecurity insurance. There is growing support for market-based incentives such as insurance, that reward strong cybersecurity programs with discounted premiums and broader coverage. The lack of robust actuarial data to model risk, and a changing underwriting process that validates the dynamic threat environment is a growing priority for the insurance industry. 16

10 reasons to invest in cyber insurance 5. Interdependencies and third party risk Adversaries are increasingly focused on third parties such as Managed Service Providers, off-premise maintenance, and even cloud services that have access to sensitive information and other critical assets of the target enterprise. Liability for PII or PHI typically still rests with the enterprise data owner, even though a breach may have occurred at, or been the fault of, the third party. 17

10 reasons to invest in cyber insurance 6. Insider threat Attacks from inside the organization continue to be difficult to prevent. Cybersecurity insurance typically provides coverage when the employee is the perpetrator, just like when the attack is from the outside. When asked who posed the biggest internal threat to corporate data, 55% of the respondents to the 2015 Vormetric Insider Threat Report identified Privileged Users, followed by contractors, service providers, and business partners. 18

10 reasons to invest in cyber insurance 7. Security Compliance Treating security as a compliance issue distracts from real security and ultimately results in a false sense of security. Many companies have been in compliance with their required standards and still fell victim to a data breach or a security incident. 19

10 reasons to invest in cyber insurance 8. Monetizing the cost of cybersecurity One of the biggest security leadership challenges continues to be the ability to quantify cybersecurity risk to the executive team in terms of dollars and cents Return On Investment (ROI). The premium charged by an insurance company can help solve this problem, especially when implementation of security controls and policies reduces overall risk. 20

10 reasons to invest in cyber insurance 9. Merger and Acquisition (M&A) activity The difficulty in evaluating the cybersecurity posture in any acquisition target leaves the acquirer vulnerable. A comprehensive due diligence risk assessment can go a long way in identifying threats and vulnerabilities that can satisfy the demands of cybersecurity insurance. 21

10 reasons to invest in cyber insurance 10. Operational technology Industry sectors dependent on operational technology and industrial control systems are particularly vulnerable due to the often very distributed nature of the OT/ICS environment. Built primarily for 24/7/365 availability and to operate in remote and isolated environments, these systems and devices have historically been air-gapped but are increasingly being connected to the corporate information technology network and the Internet. 22

Cyber risk assessment tools and services A number of product and service companies have joined the market for automating the risk assessment process for cybersecurity insurance Underwriters are using (and developing) risk assessment products and services to require a higher level of risk maturity for potential customers Cybersecurity insurance customers are using risk assessment products and services to validate their maturity for underwriters and to drive down the cost of premiums 23

Considerations when negotiating a policy Exclusions: Make sure that nothing essential is excluded from the policy. Lack of awareness of limits and sub-limits: Pay attention to the sub-limits. A high policy limit is worthless if sub-limits restrict you from collecting on damages. Buying coverage you don t need: Calculate and document your risks and your risk tolerance to justify your decisions, which may face future scrutiny in the event of third-party inspection. Expecting other types of insurance to cover losses: Either buy standalone cyber insurance or review existing policies to determine overall coverage. FireEye White Paper - Cyber Insurance: A Growing Imperative 25

Exclusion An exclusion clause, i.e., the fine print, is a clause in an insurance contract that eliminates coverage for specified events. It s important that you understand what the restrictions are in the policy, including exclusion clauses, before you execute the contract. EXAMPLE: The Company shall not be liable for Loss on account of any Claim based upon, arising from, or in consequence of any fact, circumstance, situation, transaction, event, act or omission of which any Insured had knowledge prior to the inception date of the first Liability Insurance Policy issued and continuously renewed by the Company to the Parent Organization. 26

10 key coverage items 1. Full prior acts coverage 2. Restrict knowledge and notice of a circumstance to the executive team 3. Security warranty 4. Operational technology 5. Outside counsel 6. IT Forensics 7. Law enforcement 8. War and Terrorism 9. Intentional Act 10. Continuity of Coverage 27

Ten key coverage items 1. Full Prior Acts coverage Insurers typically try to limit coverage to acts from the first day that the policy begins, known as the retroactive date. However, in the context of the challenges in detecting an attack, buyers should seek to remove this exclusion and avoid the risk of a claim denial. 28

Ten key coverage items 2. Restrict knowledge and notice of a circumstance to the executive team An insurer should not be allowed to attribute liability to the whole enterprise because enterprise-wide detection has proven to be a challenge for most organizations. 29

Ten key coverage items 3. Security warranty Remove any language that tries to warrant that security is maintained to the same level as represented in the underwriting submission. The dynamic nature of the risk leaves this too open to insurer interpretation in the event of a loss. 30

Ten key coverage items 4. Operational technology The majority of insurance policies provide coverage only to the corporate IT network. If relevant, ensure that language is broadened to also address operational technology such as SCADA and industrial control systems. 31

Ten key coverage items 5. Outside counsel Choice of counsel must be agreed upon at the outset. In the event of a security breach, a dedicated legal expert must take the response lead, including attorney client privilege. Negotiating with an insurer during a security incident is a very bad idea. 32

Ten key coverage items 6. IT Forensics Similarly to choice of counsel, the preferred forensics firm should be agreed upon up front and the decision should not be left to the underwriter. Incident response and forensics can be very expensive and and a significant part of the overall incident cost. 33

Ten key coverage items 7. Law enforcement Law enforcement is typically involved in major security breaches and oftentimes the first time a company knows they ve been a victim is when the law enforcement knocks on the door. A claim should not be excluded by an insurer for failure to disclose as soon as practicable if law enforcement had advised nondisclosure during the investigation. 34

Ten key coverage items 8. War and Terrorism Many insurance policies exclude coverage for acts of war such as invasion, insurrection, revolution, military coup and terrorism. With the emergence and growth of nation state adversaries and international terrorism, this clause should be eliminated from any insurance contract. 35

Ten key coverage items 9. Intentional Act Coverage that addresses the employee or insider as perpetrator acting in isolation of the executive team. 36

Ten key coverage items 10. Continuity of Coverage When renewing the insurance policy with the same insurer, you should always avoid signing a warranty regarding a circumstance or claim. 37

So, why is insurance a catalyst for security? Shareholders expectations are rising CEO s are paying attention Boards don t understand security and are nervous Regulators are enforcing compliance Government wants to legislate Underwriters are incentivizing better security behavior The cloud is providing new technical solutions 38

The future of cybersecurity insurance Continuous monitoring and risk scoring will be the new norm. This is the process of maintaining real time awareness of security threats and vulnerabilities that support organizational risk management decisions. Premiums and rates will vary monthly, weekly, daily, and hourly based on dynamic threat and vulnerability environment Underwriters will establish new relationships with security product vendors to incentivize spending 39

Brokers are your new best friend The role of a broker: 1. Helps document the current organizational security posture - strengths and weaknesses. 2. Helps with the application and the underwriter interview process to present the best possible case. 3. Helps choose an underwriter and negotiates the best policy. FireEye White Paper - Cyber Insurance: A Growing Imperative 40

To understand what is covered in any cybersecurity policy, remember the most important three rules of insurance: 1. READ THE POLICY! 2. READ THE POLICY! 3. READ THE POLICY! 41

Apply what we ve discussed today Next week you should ask about and review your corporate cybersecurity insurance policy (if you have one) In the next three months you should: Review your most recent enterprise risk assessment Discuss your corporate cyber risk appetite with CEO and CRO Meet with your insurance broker to discuss your cybersecurity insurance policy In the next six months you should begin budgeting and scheduling an enterprise risk assessment and considering potential tools or services to automate and provide visibility into your risk environment. 42

Thank You Mark Weatherford mark@varmour +1.916.200.8801

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback