USE OF THE ABS FCI CYBER RISK MODEL FOR INSURANCE PURPOSES

Similar documents
Rapid Response Damage Assessment. 24/7 Casualty Response

Profile. Setting Standards of Excellence

The working roundtable was conducted through two interdisciplinary panel sessions:

You ve been hacked. Riekie Gordon & Roger Truebody & Alexandra Schudel. Actuarial Society 2017 Convention October 2017

Cybersecurity Insurance: New Risks and New Challenges

13.1 Quantitative vs. Qualitative Analysis

Risk Management: Assessing and Controlling Risk

Insurances for a Charterer or Operator

Cybersecurity Insurance: The Catalyst We've Been Waiting For

START HERE. Small Business Retirement Plans. Prospecting Guide to. American National Insurance Company

RISK EVALUATIONS FOR THE CLASSIFICATION OF MARINE-RELATED FACILITIES

Gov't Must Integrate Insurance With Cybersecurity

41% of respondents see cybercrime as the most significant risk over the next 24 months.

An Introduction to Risk

NEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES PROPOSED 23 NYCRR 500 CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES

Cyber-Insurance: Fraud, Waste or Abuse?

THE BALTIC EXCHANGE. Manual for Baltic Demolition Assessments

RATIO ANALYSIS. The preceding chapters concentrated on developing a general but solid understanding

Cyber Risk Enlightenment through information risk management

Pension Scheme Cyber Resilence Workshop

4 BIG REASONS YOU CAN T AFFORD TO IGNORE BUSINESS CREDIT!

PREI Leveraging Platform for Asian Expansion With Benett Theseira of PREI. Benett Theseira, Prudential Real Estate Investors: Hi, Mike.

Internal Model Industry Forum (IMIF) Workstream G: Dependencies and Diversification. 2 February Jonathan Bilbul Russell Ward

Keynote Address by Mr John Leung, CEO, Insurance Authority 12th Asian Insurance CFO Summit th May 2018, Hong Kong

The Guide to Budgeting for Insider Threat Management

THE YEAR IN CRISIS Rising risk in the Asia-Pacific region

Board for Actuarial Standards

CLAIM SUMMARY / DETERMINATION

2015 EMEA Cyber Impact Report

Risk Evaluation. Chapter Consolidation of Risk Analysis Results

At the Heart of Cyber Risk Mitigation

Launching a Hedge Fund: 10 Keys to Success. from marketing to technology, the top tips for achieving startup success

EXCELLENCE IN RISK MANAGEMENT XIII Emerging Risks: Anticipating Threats and Opportunities Around the Corner

China Cargo Delivery Without Production of Original Bill of Lading

OWN RISK AND SOLVENCY ASSESSMENT. ERM Seminar Compliance All Dealing from the same deck now

Yangzijiang The Shipbuilding Bank

Achieving the best outcome in shipping disputes. Forensic Maritime Accountancy PRECISE. PROVEN. PERFORMANCE.

CYBER LIABILITY INSURANCE MARKET TRENDS: SURVEY. October Sponsored by:

Hide and Seek - Cybersecurity and the Cloud

CHARTERERS COMPREHENSIVE COVER

A report prepared by COPE Solutions Inc.

WHITE PAPER FOUR PRACTICAL WAYS TO CAPTURE AND MONITOR RISK APPETITE

Chinese Law on Protection of the Marine Environment Caused by Ship Oil Pollution - Lessons Learned for Vietnam

Information Security Risk Assessment by Using Bayesian Learning Technique

Sponsored by. Is Your Data Safe? The 2016 Financial Adviser Cybersecurity Assessment

Sara Robben, Statistical Advisor National Association of Insurance Commissioners

1. A is a decision support tool that uses a tree-like graph or model of decisions and their possible consequences, including chance event outcomes,

Cyber-risk and cyber-controls:

WATER ASSET MANAGEMENT PRACTICE IN THE US: WE VE COME A LONG WAY WITH A LONG WAY TO GO

EQUIFAX AFTERMATH ONE YEAR LATER. id theftcente r.o r g

Conveying vs. Trucking Economics For Medium Sized Applications

Cyber Incident Response When You Didn t Have a Plan

RULE No (dated 28 th June 2000) THE BOARD OF DIRECTORS in the exercise of its legal powers, and

5 KEY THINGS YOUR POLICIES POLICY MUST HAVE (And the One Secret to Bringing Them All Together)

2015 Situation Report on Counterfeiting in the European Union

CHINA IN THE WORLD PODCAST. Host: Paul Haenle Guest: Yukon Huang

November SWOT Analysis report

OECD PROJECT ON CYBER RISK INSURANCE

chainfrog WHAT ARE SMART CONTRACTS?

THE CASH INVESTMENT POLICY STATEMENT DEVELOPING, DOCUMENTING AND MAINTAINING A CASH MANAGEMENT PLAN

Member and Broker Survey 2013

Mind the gap: risk appetite revisited. Risk Series Paper 4

A Technology Revolution

Formulating Your Business Continuity Plan. ds-inc.com (609)

INTERVIEW Rethink: Global Pension Risk Governance. A discussion with Aon colleagues Matt Clink, Jeff Clymer and Ian Hinton

Formulating Your Business Continuity Plan. ds-inc.com (609)

Cyber Risks A Reinsurer s Perspective on Exposure & Claims. EMEA Claims Conference 2018, Rüschlikon, 6th 7th March, Anthony Cordonnier

M T S D P C N E W S. Pete Fougere Chairman I N S I D E T H I S I S S U E : I S S U E 5 A P R I L W H A T S N E W 2

MARITIME AND PORT AUTHORITY OF SINGAPORE SHIPPING CIRCULAR TO SHIPOWNERS NO. 3 OF 2017

SHIPPING OPERATIONS VIA LABUAN INTERNATIONAL BUSINESS FINANCIAL CENTRE ( IBFC ) AND MALAYSIA INTERNATIONAL SHIP REGISTRY

Finance and Treasury: BDC ViewPoints study

Investment in Information Security Measures: A Behavioral Investigation

Full Monte. Looking at your project through rose-colored glasses? Let s get real.

INSURING CYBER RISKS WITH A CAPTIVE: IS IT WORTH IT?

SME INSURANCE INDEX 2018

Cyber Insurance I don t think it means what you think it means

P&G Banking A D V I S O R Fall 2016

Trial by fire* Protected. But under pressure to perform

Contact: Structural Policy Division, Mr. Danny Scorpecci. tel: ; fax: ; e- mail:

FPO. Managing FX Risk in Turbulent Times. Observations from Citi Treasury Diagnostics. Treasury and Trade Solutions I CitiFX

May 8, Assessment and Disclosure of Risk Actuarial Standards Board 1850 M Street NW, Suite 300 Washington, DC Dear Sir or Madam:

CONTRACTUAL INDEMNITIES: PUBLIC & PRIVATE SECTOR IMPLICATIONS. Updated April 2005

InsideARM Debt Settlement Survey

Inheritance Tax Planning

R. H. C O O P E R & C O M P A N Y, L L C P. O. Box 462 Dublin, Ohio Telephone: Facsimile:

CONTENTS. Page. 1. Introduction Theft Statistics


Use of Internal Models for Determining Required Capital for Segregated Fund Risks (LICAT)

NATIONAL INTEREST ANALYSIS

APPLICATION OF FORMAL SAFETY ASSESSMENT IN THE LEGAL ACTIVITY OF INTERNATIONAL MARITIME

Kulluk Lessons Learned SMIT SALVAGE. Douglas Martin President and General Manager- Houston NAMEPA ANCHORAGE - August 13, 2014

Scotia Capital Transportation and Aerospace Conference Tuesday, November 15, 2011

Timothy F Geithner: Hedge funds and their implications for the financial system

Frequently Asked Questions

GLOBAL MARINE 360 THINKING. aspen-insurance.com

Shipbuilding Contracts the Value of Defence Club Cover

MOLONEY A.M. SYSTEMS THE FINANCIAL MODELLING MODULE A BRIEF DESCRIPTION

Identity protection is a vital employee benefit

Business Transition Checklist

IAIS Consultations. Print view of your comments - Date: , Time: 20: Executive summary

Transcription:

USE OF THE ABS FCI CYBER RISK MODEL FOR INSURANCE PURPOSES Rick Scott, PE 10 April 2018

USE OF THE ABS FCI CYBER RISK MODEL FOR INSURANCE PURPOSES Certification bodies and insurers are facing the same issue. We both have to predict outcomes based on our understanding of what causes loss, and collect evidence of those causes in or about the thing we are certifying or insuring. And we are both facing a situation with maritime cybersecurity that seems a bit like feeling our way in the dark. The topic is new. Solid information about cybersecurity incidents in maritime is scarce. And we aren t just concerned about dramatic failures caused by malicious intent. Those commonly make up the smaller portion of cyber incidents. We are also concerned about the greater number of non-malicious cyber incidents caused by mistakes, poor decisions, poor training, and general ignorance about the fundamental nature of cyber risk on assets and resulting losses. When contemplating both certification of compliance and insurance covering maritime cybersecurity events, we face some interesting difficulties. Data describing cybersecurity events, incidents, and losses is highly confidential and closely guarded by the enterprises that are affected. The potential liability associated with sharing such information is unknown, sparsely defined by trial law, but perceived to be considerable. So, companies are conservative about sharing unless failure to do so increases the potential damage incurred by the event, failure to report the event, regulations, and fear of fines. Further, cyber events that do not result in an obvious damaging incident may remain latent and go unnoticed by the impacted asset for long periods of time, and as a result go completely unreported. If the event is detected and defeated or quickly remediated, the event may go unreported completely because protections succeeded or recovery was seamless. It passes by as a job well done. It is the fundamentals of cybersecurity risk that makes insurers and certifiers very close kin. Whether deciding if a company or asset is applying cybersecurity technology and procedures that are sufficiently reasonable and prudent for safety certification, or for providing insurance against a damaging incident, the main question is the same: Has the enterprise identified and dealt with the conditions that place the asset at risk? That single fact makes classification society engineers and insurance actuaries very close kin. We both want facts backed by quantifiable and/or observable evidence that risk is both understood and proactively managed. Assessors and insurers aren t impressed, enchanted, hypnotized by the intricacy, novelty, or apparent sophistication of threat modes and protections. Frankly, we don t even care. We just want evidence that any threat will have little or no loss or safety impact on the certified or insured asset. It s that simple and that complicated. When we contemplate the thousands of pages of guidance and requirements presented to cybersecurity professionals and business executives alike, a common thread emerges and it s not even subtle. Risk is the heart of the matter. All guidance instructs the readers to base any cybersecurity process or protection activity on a risk management plan. In ABS certification work, this is where things pretty much begin to fall apart which is really bad because risk assessment is foundational and required at the beginning of a cybersecurity program standup. Risk management is the foundation of the all cybersecurity frameworks and implementation programs. DHS and the Coast Guard identified the issue of risk assessment as a critical gap in cybersecurity program implementation over a year ago and called on Stevens Institute and ABS to figure out what could be done about the weaknesses in (1) the general understanding of maritime cyber risk, and (2) the greater challenge to measure that risk. The resultant research work provided a way of thinking about cyber security and risk, as well as a new model for maritime operational technology risk that makes the larger idea of Risk relatively easy to understand, observe, and even measure. 2 USE OF THE ABS FCI CYBER RISK MODEL FOR INSURANCE PURPOSES ABS ADVANCED SOLUTIONS

The model, described in a technical paper presented by ABS at the November 2017 SNAME Maritime Convention in Houston, TX, requires application in order to be fully useful as an insurer s tool. Assets must be characterized using the model. Risk Index numbers for assets, and ultimately asset classes, must be developed. A statistically relevant number of assets in each class must be assessed and the cyber incident history for each asset must also be tracked. The Risk Index Number for each asset and its event or incident history must be documented, tracked over time, and correlated in order to establish an upper Risk Index value limit as an indicator for insurability. The Risk Index value can also conceivably be used to establish insurance rates across a range of values. This all takes time and attention to risk event outcomes for assets that have established a Rick Index. But, it is a start and it provides quantitative information to begin to ground risk and insurance rates in empirical data. There are business and confidentiality issues to manage, but it is doable. Other asset/enterprise cybersecurity information can and should also incorporated in the insurability consideration process. Enterprise cybersecurity program attributes are arguably strong indicators of risk management due diligence. Eventually, ABS envisions the collection of industry data that provides data-driven characterizations of entire classes of assets that can support insurer decisions. The concepts and approaches below outline possibilities for industry-wide data collection and analysis to guide insurance decisions and application of resources to cybersecurity. The industry data to be collected might include the following information to connect specific function failures with specific incident outcomes. Information to connect Function (Consequences) failures to incident outcomes Identify the industrial control system (ICS) functions that are deemed to be consequential to the safety and security of the asset. Assess consequences of failed safety critical functions: deaths/injuries, property damage, spill, port disruption Map failure of safety critical functions to historical event classes failure of a safety critical function Relate the impacted safety critical function to a specific Safety Integrity Levels Correlate cyber-initiated consequences similar to non-cyber initiated events where possible. Examples include but are not limited to: Collisions/allisions/groundings Fires/explosions Oil spills/cdc releases Loss of propulsion Flooding/sinking/capsizing Crane drops Information to connect Connections (Vulnerability) to incidents Identify the connection types for each Asset Function as Discrete, Simple, Complex, or Very Large Network (VLN) (e.g. Internet accessible), and the access nodes by type associated with each connection. Map failure of safety critical functions to historical event classes failure and correlate to connection types and nodes determined to be the entry point of the corruption causing the failure. Paul Grecaud 123rf.com ABS ADVANCED SOLUTIONS USE OF THE ABS FCI CYBER RISK MODEL FOR INSURANCE PURPOSES 3

Connections vary by asset class and safety critical function MODUs/Drill ships highly sophisticated and connected Bulk freighters less so Obviously, there is significant variation within a class as well based on age, service, etc. Develop distributions for safety critical functions and asset classes representing the percentage of the fleet with different connection types. More details on how to develop distribution (SME elicitation) SAMPLE Function Asset Class Simple Discrete Complex VLN Propulsion MODU 0% 5% 25% 70% Dynamic Positioning Crane Control MODU 0% 0% 5% 95% Container Terminal Information connecting (Threat) to incidents 10% 90% 0% 0% Identify the digital device and human identities that can access the ICS connections and related access nodes. Map failure of safety critical functions to historical event classes failure and correlate to the number of trusted and untrusted digital devise and human identities determined to have access to the entry point of the corruption causing the failure. SAMPLE Function Asset Class Trusted Device Untrusted Device Trusted Human Untrusted Human Propulsion MODU 50% 50% 90% 10% Dynamic Positioning Crane Control MODU 50% 50% 95% 5% Container Terminal 25% 75% 50% 50% Information connecting enterprise cybersecurity program attributes to incidents Determine if OT Cyber Security Office (OT-CSO) responsibilities are documented and resourced. Determine if Incident Response Team (IRT) responsibilities are documented and resourced. Determine if an OT FDD has been developed and maintained under revision management procedures. Determine if a compiled cyber security management system (CMS) FDD has been developed and is maintained under revision management procedures. Determine is Management of Change (MoC) procedure are documented and is implemented as policy. Determine if Cyber security training documents and programs are implemented and attendance is tracked. Map failure of safety critical functions to class attributes. failure and correlate to the number attributes in place to cyber security incidents. 4 USE OF THE ABS FCI CYBER RISK MODEL FOR INSURANCE PURPOSES ABS ADVANCED SOLUTIONS

SAMPLE Asset Class Yes Responses General Cargo CSO IRT OT-FDD CMS-FDD MOC Training 20% 20% 10% 5% 15% 30% Tanker 15% 10% 2% 2% 5% 10% MODU 20% 20% 10% 5% 15% 30% Tug/Barge 15% 10% 2% 2% 5% 10% Cruise 28% 20% 18% 20% 12% 15% Ferry 15% 10% 2% 2% 5% 10% CDC Facility Petro Facility Cargo Terminal MTSA 106 Facility 30% 10% 2% 2% 15% 30% 25% 10% 2% 2% 15% 30% 35% 10% 2% 2% 15% 30% 35% 10% 2% 2% 15% 30% These concepts provide clearly understandable knobs to turn for cybersecurity practitioners, program managers and senior executives. The concepts are simple in concept, but sophisticated in application. They respect the long-developed and accepted principles of cyber security, and frame those principles in a simple, memorable model for specific application to maritime cybersecurity situations. They acknowledge engineering principles by resolving real world constructs numerically so that they can be better understood and made more predictable and reliable. They provide a technique for assigning quantitative relative sufficiency to Operational Technology (OT) cyber security systems and a method for measuring system improvement. But most importantly, the concepts provide potential for a uniformly accepted practical approach to assessing maritime Risk. ABS ADVANCED SOLUTIONS USE OF THE ABS FCI CYBER RISK MODEL FOR INSURANCE PURPOSES 5

CONTACT INFORMATION WORLD HEADQUARTERS 16855 Northchase Drive Houston, TX 77060 USA Tel: 1-281-877-6000 Fax: 1-281-877-5976 Email: ABS-WorldHQ@eagle.org www.eagle.org AMERICAS DIVISION ABS Plaza 16855 Northchase Drive Houston, TX 77060 USA Tel: 1-281-877-6000 Fax: 1-281-877-5943 Email: ABS-Amer@eagle.org EUROPE DIVISION ABS House No. 1 Frying Pan Alley London E1 7HR, UK Tel: 44-20-7247-3255 Fax: 44-20-7377-2453 Email: ABS-Eur@eagle.org GREATER CHINA DIVISION 5th Floor, Silver Tower No. 85 Taoyuan Road Huang Pu District Shanghai, 200021 P. R. China Tel: 86-21-2327-0888 Fax: 86-21-6360-9649 Email: ABS-GreaterChina@eagle.org PACIFIC DIVISION 438 Alexandra Road #10-00 Alexandra Point Singapore 119958 Tel: 65-6276-8700 Fax: 65-6276-8711 Email: ABS-Pac@eagle.org 2018 American Bureau of Shipping. All rights reserved.

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback