MEASURING & PRICING THE COST DRIVERS OF A CYBER SECURITY RISK EVENT

Similar documents
Cyber Risk Management

PRIVACY AND CYBER SECURITY

Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data

Electronic Commerce and Cyber Risk

Cyber Liability & Data Breach Insurance Nikos Georgopoulos Oracle Security Executives Breakfast 23 April Cyber Risks Advisor

CYBER ATTACKS AFFECTING FINANCIAL INSTITUTIONS GUS SPRINGMANN, AON PAVEL STERNBERG, BEAZLEY

Cyber-Insurance: Fraud, Waste or Abuse?

Personal Information Protection Act Breach Reporting Guide

You ve been hacked. Riekie Gordon & Roger Truebody & Alexandra Schudel. Actuarial Society 2017 Convention October 2017

CYBER LIABILITY REINSURANCE SOLUTIONS

Add our expertise to yours Protection from the consequences of cyber risks

NZI LIABILITY CYBER. Are you protected?

Protecting Against the High Cost of Cyberfraud

A GUIDE TO CYBER RISKS COVER

Cyber Risks & Insurance

Cyber Risk Mitigation

ChicagoLand RIMS Cyber Insurance Coverage Pitfalls and How to Avoid Them

Cyber Liability Insurance. Data Security, Privacy and Multimedia Protection

JAMES GRAY SPECIAL GUEST 6/7/2017. Underwriter, London UK Specialty Treaty Beazley Group

Privacy Liability & Data Breach Management Cyber Insurance as a Customer Privacy Protection Tool

Cyber a risk on the rise. Digitalization Conference Beirut, 4 May 2017 Fabian Willi, Cyber Risk Reinsurance Specialist

MANAGING DATA BREACH

Cyber & Privacy Liability and Technology E&0

STEPPING INTO THE A GUIDE TO CYBER AND DATA INSURANCE BREACH

The Wild West Meets the Future: Key Tips for Maximizing Your Cyber and Privacy Insurance Coverage

Surprisingly, only 40 percent of small and medium-sized enterprises (SMEs) believe their

H 7789 S T A T E O F R H O D E I S L A N D

Cyber Risk Insurance. Frequently Asked Questions

HEALTHCARE BREACH TRIAGE

CyberMatics SM FAQs. General Questions

Your defence toolkit. How to combat the cyber threat

The Risk-based Approach to Data Breach Response Meeting mounting expectations for effective, relevant solutions

Vaco Cyber Security Panel

HIPAA / HITECH. Ed Massey Affiliated Marketing Group

2017 Cyber Security and Data Privacy Study

At the Heart of Cyber Risk Mitigation

CYBER LIABILITY INSURANCE: CLAIMS ISSUES AND TRENDS THAT AUDITORS NEED TO KNOW

INFORMATION AND CYBER SECURITY POLICY V1.1

Insuring your online world, even when you re offline. Masterpiece Cyber Protection

CYBER LIABILITY: TRENDS AND DEVELOPMENTS: WHERE WE ARE AND WHERE WE ARE GOING

Largest Risk for Public Pension Plans (Other Than Funding) Cybersecurity

UNDERSTANDING HIPAA COMPLIANCE IN 2014: ETHICS, TECHNOLOGY, HEALTHCARE & LIFE

HOW TO INSURE CYBER RISKS? Oulu Industry Summit

O P C S. OPCS Overview 9/28/2017 (OPCS) The implementation of the Ohio Pooled Collateral System creates a unique partnership between:

Cyber Insurance I don t think it means what you think it means

HEALTHCARE INDUSTRY SESSION CYBER IND 011

Aon Cyber Risk and Directors & Officers Forum CRM011

Cyber breaches: are you prepared?

Cyber Security & Insurance Solution Karachi, Pakistan

A FRAMEWORK FOR MANAGING CYBER RISK APRIL 2015

Cyber Enhancement Endorsement

Year-end 2016 fraud update: Payment cards, remote banking and cheque

Cyber Liability Insurance for Sports Organizations

Cyber Risks & Cyber Insurance

Cyber ERM Proposal Form

Cyber Risk Proposal Form

Evaluating Your Company s Data Protection & Recovery Plan

An Overview of Cyber Insurance at AIG

POLICY: Identity Theft Red Flag Prevention

The Economic Impact of Advanced Persistent Threats. Sponsored by IBM. Ponemon Institute Research Report

Whitepaper: Cyber Liability Insurance Overview

2014 The Hartford Steam Boiler Inspection and Insurance Company. All rights reserved.

OECD Expert Workshop, May 13, Cyber Risk and Cyber Risk Insurance: What do we know? What can we measure? Martin Eling

Chubb Cyber Enterprise Risk Management

Determining Whether You Are a Business Associate

Fraud and Cyber Insurance Discussion. Will Carlin Ashley Bauer

Questions You and Your Supervisory Committee Should Ask

How to mitigate risks, liabilities and costs of data breach of health information by third parties

Second Annual Survey on Medical Identity Theft

Beazley Financial Institutions

Privacy and Data Breach Protection Modular application form

What is a privacy breach / security breach?

2012 Payments Fraud Survey

2015 Latin America Cyber Impact Report

Cyber, Data Risk and Media Insurance Application form

APPLICATION FOR DATA BREACH AND PRIVACY LIABILITY, DATA BREACH LOSS TO INSURED AND ELECTRONIC MEDIA LIABILITY INSURANCE

Compliance With the Red Flags Rules

CAPITAL WORKPAPERS TO PREPARED DIRECT TESTIMONY OF GAVIN H. WORDEN ON BEHALF OF SOUTHERN CALIFORNIA GAS COMPANY BEFORE THE PUBLIC UTILITIES COMMISSION

The working roundtable was conducted through two interdisciplinary panel sessions:

Cyber Liability & Data Breach Insurance Claims

Te c h n o l o g y T r e n d s a n d I s s u e s

Conditions Of Use Disclaimer

Cybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know and Do

A Review of Actual Fraud Cases in 2017 FRAUD REVIEW

The Guide to Budgeting for Insider Threat Management

COLUMBIA UNIVERSITY DATA CLASSIFICATION POLICY

Cyber Risk & Insurance

Healthcare Data Breaches: Handle with Care.

Claims Made Basis. Underwritten by Underwriters at Lloyd s, London

Recognizing Credit Card Fraud

SECURITY POLICY 1. Security of Services. 2. Subscriber Security Administration. User Clearance User Authorization User Access Limitations

STEPPING INTO THE BREACH A GUIDE TO CYBER AND DATA INSURANCE

Information Security and Third-Party Service Provider Agreements

South Carolina General Assembly 122nd Session,

Kasasa Protect. FAQ and Product Overview

NAIC BLANKS (E) WORKING GROUP

Q: What is PCI? Q: To whom does PCI apply? Q: Where can I find the PCI Data Security Standards (PCI DSS)? Q: What are the PCI compliance deadlines?

DATA LOSS BAROMETER. A global insight into lost and stolen information

Scott Neat, Director of Supervision. NCUA Office of Examination and Insurance. CUNA CFO Conference. NCUA Current Issues May 19, 2014 Las Vegas, NV

Emerging legal and regulatory risks

Transcription:

MEASURING & PRICING THE COST DRIVERS OF A CYBER SECURITY RISK EVENT IOWA ACTUARIES CLUB 2/25/16 EDUCATION DAY PRESENTED BY KEITH BURKHARDT, V.P. KRAUS-ANDERSON INSURANCE

Overview I. Why are cyber security events occurring? II. III. IV. What are the financial variables that impact a company when a cyber security event occurs? What are the estimates of a cyber event claim cost? How is cyber risk presently underwritten? V. What current issues are companies addressing to improve their cyber risk?

I. WHY ARE CYBER SECURITY EVENTS OCCURING?

The Internet? We re not interested. Bill Gates, Microsoft Founder, 1993

81% Percentage of Americans who are online 11 billion Total web searches per month in the U.S. 210 billion Total number of e-mails sent daily 1 in 8 Number of U.S. married couples who met online 28% Internet growth in content 2014-2015

Ronnie Biggs The Great Train Robbery, 1963

Albert Gonzales Heartland Hack, 2009

Credit card info Date of birth Social Security number Mother s maiden name Health record

DATA BREACH STATS

The 2014 Verizon Data Breach Investigation Report Dispelled The Only a Big Company is a Target Myth 94% of attacks are on firms under 1000 employees All industries are vulnerable. Information & Professional services, financial organizations, consumer products & manufacturing. 76% of attacks used weak/stolen user credentials 92% of breaches originated from external parties not employees. 82% of breaches were discovered by a third party (vendor, customer, etc.). 75% of breaches took weeks to be discovered by the victim organization.

of breached smallmedium sized organizations were OUT OF BUSINESS within 6 months of discovering a breach

The 2015 Verizon Data Breach Investigation Report Focused in on Breach Tactics, Causes and Financial Impact 2014 trends & STATS continued at or near same levels. 70% of breaches where the motive was understood, were focused on a secondary victim/organization. 60% of the breaches the attackers infiltrated the victims systems within minutes.

The Report Confirms Leading Tactics to Breach an Organization Were: Phishing 23% of receptionists open phishing messages. Common vulnerabilities & exposures (CVE). Poor patching strategies are 99.9% of the culprit is a breach or attack is via the system platform. Mobile devices are NOTa preference vector in data breaches (Android is strongest in this area). Malware Over 50% of breaches in this area were discovered 35 days or more.» The #1 victim is Education» Insurance is #4

The 2015 report confirms 96% of all intrusions could be classified in 9 categories and the frequency could assist companies in reducing their cyber risk. POS INTRUSIONS 28.5% CRIMEWARE CYBER-ESPIONAGE 18.8% 18% INSIDER MISUSE WEB APP ATTACKS MISCELLANEOUS ERRORS 9.4% 8.1% 10.6% PHYSICAL THEFT/LOSS PAYMENT CARD SKIMMERS 3.3% 3.1% DENIAL OF SERVICE 0.1% Frequency of incident classification patterns with confirmed data breaches

II. WHAT HAPPENS TO A MID-SIDE COMPANY WHEN A CYBER BREACH OCCURS

2 Reports Attempt to Identify Cyber Costs 2015 Verizon Data Breach (79,000 Security Incidents) 2015 Ponemon 2015 Cost of Cyber Crime Study: Global (252 Large Companies)

The Cost of a Breach Notable breach costs/expense that are incurred include:» Legal Advice/Defense Costs» Notification to affected parties (customers, vendors, employees)» ID Theft Monitoring» Call Center» Regulatory Fines & Penalties» Forensic Investigation» Business Interruption/Extra Expense» Damage to Systems & Equipment» Court Appearance Costs» P.R. Expenses (Managing Opinion)» Reputational Harm

Ponemon Report (10/2012) Percentage cost for external consequences Consolidated view, n= 252 separate companies 45% 40% 35% 30% 25% 20% 15% 10% 5% 0% 39% 35% 21% 4% Business disruption Information loss Revenuw loss Equipment damages 2% Other costs

Ponemon Report (10/2012) Percentage cost by activities conducted to resolve a cyber attack Consolidated view, n= 252 separate companies 35% 30% 30% 25% 23% 20% 15% 10% 5% 16% 14% 9% 7% 0% Detection Recovery Containment Investigation Incident Mgmt Ex-post response

III. CURRENT ESTIMATES OF A CYBER EVENT CLAIM

Two Opinions/Methodology Verizon calculates cost of a cyber event by number of records stolen Ponemon calculates cyber costs by enterprise seats (defined as number of direct connections to the network and enterprise systems)

Ranges of expected loss by number of records Expected average loss by records lost

Table1. Quartile analysis Cost expressed in US dollars FY 2015 (n-252) FY 2014 (n-252) FY 2013 (n-252) Quartile 1 (Smallest) $3,279,376 $2,967,723 $2,965,464 Quartile 2 $5,246,519 $5,107,532 $4,453,688 Quartile 3 $8,987,450 $8,321,024 $6,659,478 Quartile 4 (Largest) $13,372,861 $13,805,529 $14,707,980 Table2. Quartile analysis Cost expressed in US dollars 2015 Cost per seat 2014 Cost per seat 2013 Cost per seat Quartile 1 (Smallest) $1,555 $1,601 $1,388 Quartile 2 $878 $962 $710 Quartile 3 $709 $726 $532 Quartile 4 (Largest) $368 $437 $431

IV. HOW IS CYBER RISK PRESENTLY UNDERWRITTEN?

Multiple Methods of Underwriting Can be Generally grouped into 3 Theories: I. Selective Underwriting II. III. Collateral Customer Underwriting The Law of Large Numbers Underwriting

The Selective Underwriting Process Long application forms Warranty app wording Highly detailed review of Customer s IT Systems Narrow number of applicants qualify Quotes manage risk by limiting the policy offerings: limits, deductibles, coverage based on Underwriting appetite of domicile, industry, size of risk, and app info

The Collateral Customer Underwriting Process Add Cyber extensions to the customer s current policy Management Liability Additional premium is calculated as percent of policy premium Commercial General Liability Cyber & Privacy Property Professional Liability Crime

The Law of Large Numbers Underwriting Process Premise is based on Macro data number of potential businesses creating a large pool of insureds & predictability 85mm possible insured entities vs. 250,000 (est.) cyber incidents Remove barriers of purchase:» Simple application» Broad coverage rating based on domicile, industry, revenue and number of employees» Streamlined claims process & payment (focused on cyber time vs. natural time)

Law of Large # s Method sets Policy limits within an insurers risked based capital model

V. WHAT CURRENT ISSUES ARE COMPANIES ADDRESSING TO IMPROVE THEIR CYBER RISK?

Are you Cyber Resilient?» Data is the new currency» 94% of cyber-attacks are on small-mid sized firms Questions to Develop Answers*» Has your firm gone through the data mapping process?» What s your data disposal process?» When are you engaged in the IT procurement process?» When/how does IT fit in to the process of bringing a new product to market?» Do you have the resources you need? *Via CyberSmart Law & Kraus-Anderson Insurance

Be Prepared for a Security Incident» Do you have a complete list of all accounts and services that you use?» Would you know who to contact for any account or service that appears to have been compromised?» Can you identify the types of sensitive data you are storing, and know where it is being stored?» Have you developed a tiered response plan to react to incidents of varying different degrees?» Do you have a plan for an alternate form of communication, in case email is compromised?» Have you organized and/or standardized where all documentation is stored to minimalize the potential of having secure data stored in unknown locations?» Do you have a data retention plan?» Have you determine security breaches financial impact on your company and know how to finance it.?

Sources» Verizon 2015 Data breach investigation report (verizonenterprise.com)» RSM (McGladrey s) : Anatomy of a Breach (mcgladrey.com)» CFCUnderwriting.com» Beazley.com» Infraguard.org» Ponemon Institute Hewlett Packard Global Crime Report (8.hp.com/us/en/software-solutions/Ponemon-cyber-security-report/)» CyberSmart Law (dukelawoffice.com/cybersmart-law)» Brian Krebs (krebsonsecurity.com)

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback