Cyber Security as an Enterprise Risk · 2016-09-29 · Malware infections within air-gapped control system networks Exploitation of zero-day vulnerabilities in control system devices

Empower Results Day | 29 September 2016

Proprietary & Confidential

Client Name, Proposal # | Practice Group | Date (##.##.##) | Document # Optional

Proprietary & ConfidentialEmpower Results Day | 29 September 2016


Cyber Security as an

Enterprise RiskHow do you identify and quantify your

cyber exposures?






1. The Emergent Strategic Risk

2. The Distributed Problem

3. Risk Management as an Integrated Solution

4. Risk Transfer






Section 1

The Emergent Strategic

Risk



Bodily

Injury

Evolving Threat to Strategic Objectives

Businesses across

all industry verticals

are continuing to

invest in deploying

digital technologies

to stay competitive

and relevant

Automation

Connectivity

Technological Drivers Business Drivers Strategic Threat

Material

Damage

Data

Breach

Media

Liability

Product

Liability

Business

Interruption

Intellectual

Property

Increased application and reliance on digital technology has created more

complex, more impactful, exposures to cyber events

Brand /

Reputation



2015 Global Risk Management Survey: Emerging Priorities

Cyber continues to increase in priority for Business Leaders

Aon’s 2015 Global Risk Management Survey, the fifth since 2007, is designed to offer insights

necessary to compete in an increasingly complex business environment.

Cyber risk, which ranked at number 18 in 2013, has now risen to number 9 Aon's 2015 Global

Risk Management Survey.

1Damage to

reputation/brand

3Regulatory/

Legislative

2Economic

Slowdown

4Increasing

Competition

5Failure to

attract or

retain talent

6Failure to

innovate7

Business

Interruption

8Third Party

Liability

9Computer Crime

/ Cyber

10Property DamageSource: World Economic Forum 2015, Aon Global Risk Management Survey 2015

$3 Trillion

by 2020



Increasing Materiality of Cyber

Source: Aon Ponemon Survey 2015

Increasing digital transformation is creating greater financial exposure

In our recent Aon sponsored Ponemon survey it was revealed that the perceived value of both

tangible and intangible assets is relatively comparable; tangible assets reported were USD 872

million, compared to USD 845 million for intangible assets.

However, the impact and likelihood of threats to intangible assets occurring is viewed as

significantly greater than for tangible assets.

The impact from a

cyber event on

intangible assets is

+163% compared

to physical asset

maximum losses



Cyber insurance strategies are falling behind

Source: Aon Cyber Captive Report 2016:

Cyber – Fast Moving Target

Insurance strategies are falling behind the pace of the corporate technology and

threat profile

Despite the growing frequency and scale of cyber attacks and increasing management focus,

more than half of surveyed companies do not buy cyber insurance.

Only 41% of

companies

currently purchase

Cyber Insurance

Why has there been this disconnect with the technology changes

and the insurance strategy?






Section 2

The Distributed Problem



Silo Focus to Measuring and Mitigating Cyber

Each silo is focused on one element of the overall digital profile and cyber risk

Although the technology and threat landscapes have rapidly evolved, companies continue to address

cyber risk in a distributed, disparate way.

Senior Management

Information Security

Legal / ComplianceHuman Resources

Focus on technology as a driver

of business strategy

Focus on employee vetting,

engagement, and training

Focus on managing data privacy

legal / regulatory position

Focus on safeguarding the

information ‘crown jewels’

against adversaries

Cyber is measured and

mitigated within each silo

across the company



Keeping up with the conversation

Risk and Insurance Strategies are struggling to keep pace with digital change

Digital transformation is a continuing to create new business markets and organisational structures. This

can rapidly and radically change the business model and risk profile of the company. However, this

change does not cascade through the company at the same pace.

Risk and Insurance Strategies can struggle to keep up with this new digital (cyber) reality.

What role does the Risk Manager

play delivering an integrated

solution to this distributed problem?

Risk & Insurance

StrategyFinancing and Transferring the Risk

Profile

Business ModelPeople, Process, and Technology to

support ‘Business as Usual’

Digital FrontierApplying innovative digital

technologies to create new and

disrupt existing markets

+12-18 months change in

organisational structure and

architecture

+12-18 months change in risk

perception and understanding






Section 3

Risk Management as an

Integrated Solution



Risk Manager as the Agent of Change

Creating a paradigm shift to an ‘Enterprise’ approach to Cyber

Increasingly companies will need to align Cyber within the Enterprise Risk Management framework to

leverage appropriate data, risk analytics, and transfer strategies to make informed decisions concerning

‘Cyber Resilience’.

Accordingly Cyber needs to be seen as an organisational issue with exposures understood from a

business perspective; thereby interrogating the critical interdependencies across the company and

cyber ‘value at risk’.

Traditional ‘Cyber’ ERM ‘Cyber’ Model

Risk Owner IT owns Risk and Controls Business Risk

StakeholdersDivergent silos: Strategy, IT,

Security, HR, Legal

Greater convergence between

functions linked to achieving business

strategy

Appetite / Attitude “If it happens” “When it happens”

Strategy Prevention Resilience

Cyber Focus Protecting PerimetersProtecting Strategic Assets (crown

jewels)

Cyber Operating ModelLayering Cybersecurity on top of the

business

Building Cybersecurity into business

processes



Integrating Discrete Silos

Creating an appropriate Risk Architecture for the cyber profile

Companies need to solve these distributed problems with an integrated approach and collaborative

solution to preventing, mitigating and transferring cyber-related exposures.

The Role of Risk

Management to drive

convergence

Collaborating with

senior stakeholders and

aligning to the corporate

risk framework

Senior Management Information Security Legal / ComplianceHuman Resources

Risk Management

- Business Strategy

- Priority Risks & Issues

- Risk Appetite

- Vetting & Onboarding

- Employee Engagement

- Training & Awareness

- Crown Jewels

- Threats

- Cybersecurity posture

- Vendor Contracts

- Regulatory Framework

- Legal Response



Establishing a Cyber framework

“What cyber

exposures do we

have?”

“How bad could

the risks be to the

balance sheet?”

“What coverage

do we have /

could we have?”

“How can we

mitigate cyber

exposures?”

“How can we

optimise self-

retention?”

“How can we

expedite cyber

claims payment?”

Journey to defining and implementing a more fit-for-purpose Cyber

Resilience Strategy



What exposures do we have?

Conduct risk profiling to identify and analyse cyber scenarios with the cross

functional team

1Agree the ‘Crown

Jewels’

2Identify Threat

Scenarios

3Define the control

environment





functional team

1Agree the ‘Crown

Jewels’

2Identify Threat

Scenarios

3Define the control

environment

Operational Technology

Commercially Sensitive

Employee Data

Financial / Legal Data





functional team

1Agree the ‘Crown

Jewels’

2Identify Threat

Scenarios

3Define the control

environment





functional team

1Agree the ‘Crown

Jewels’

2Identify Threat

Scenarios

3Define the control

environment

Utilise a

Cybersecurity

framework to map

the current control

environment



Evaluating the Balance Sheet Impact

Conducting simulations of the cyber scenarios to model financial impact

Building on the analysis during the risk profiling stage, the team should generate financial values for

each scenario within a consistent cost framework:

Compromised

ICS/SCADA

Manual work around by production

teams and overtime incurred

throughout ICS hack

Denial of access to Industrial

Control System

Production / Performance Data

compromised during attack

Increased Cost of Working /

Activation of BCM/DR

arrangements

3rd

Party Crisis Response

(Investigation, Response, and

Remediation)

Stoppage of ICS to investigate

compromise (48 hours)

Rebuild / Restore of corrupted

system data

Forced downtime of Industrial

Control System (6/8 hours)SQL injection via exploitation of

web application vulnerabilities

Malware infections within air-

gapped control system

networks

Exploitation of zero-day

vulnerabilities in control system

devices and software

Lateral movement between

network zones

Unauthorized access and

exploitation of Internet facing

ICS/SCADA devices

Network scanning and probing

Targeted spear-phishing

campaigns

Strategic web site compromises

(a.k.a., watering hole attacks).

Compromised Corporate

Network

Translating cyber scenarios into financial impact – applying risk assessment techniques to

build the financial profile for each cyber risk scenario

Commercial Impacts Financial Model



Determining Current and Target Coverage

Stress Testing the existing Insurance Programme

Following the mapping and quantification of cyber exposures, insurability analysis will help clearly

determine those risks that are potentially insurable and those that are uninsurable and will be retained:

This process will involve conducting a gap analysis of the identified insurable cyber exposures against

the insurance programme to identify which covers are impacted by a future claim or any potential gaps

in indemnity.

Determine Gaps

Identify Enhancements

Improve Insurance Awareness



Take Away Comments

Key points to consider when thinking through implementing a Cyber strategy

1. Insurance strategies have failed to keep up with the pace of this

digital transformation

2. To improve this position, Risk and Insurance managers need to

play a pivotal role in Cyber Resilience through collaborating with

senior management and technical stakeholders

3. This will help the business make more informed decisions on the

appropriate level of investment in resilience (mitigation & transfer)

4. Cyber insurance can be deployed to bolster the cyber response

posture of the business in addition to balance sheet protection

5. Doing so will unlock the value of cyber insurance toward the

business Cyber Resilience strategy






Section 4

Risk Transfer



In the past, it was all about in-tangible assets; data and programmes…

Large amounts of customer, corporate and employee data?

Resources allocated to physical perils rather than information and systems security

Processing of Credit and Debit Cards in “Retail” and “Marketing”

Supervisory Control and Data Acquisition (SCADA) - sophisticated Industrial Control Systems (ICS)

Vulnerability to cyber-attacks as processes are increasingly automated, rely heavily on ICS’ to help

reduce costs, improve efficiency, streamline operations and provide competitive cost advantages

Currently, ICS’ are isolated from the outside world, but with newer advanced versions of operating

systems and connected devices, information sharing and connectivity may be of concern

Considerations



Evolving smart grid technology introduces changing risks where new energy systems are

increasingly connected to the “Internet of Things” (IoT), opening up new security

vulnerabilities due to sheer number of connected systems and the low or nonexistent

security often placed around simple devices

Hackers becoming more and more sophisticated in their targeting, with tools to assist in

hacking anything (e.g. from a small webcam to a turbine control system or a tank

management system)

Phishing emails seem to be reaching the computers of senior employees more and more

Continual growth in Regulation and Data Privacy legislation

Third Party Liabilities – individual verses corporate

Infrastructure is deemed by many as a national security concern due to its critical nature

Considerations



Cyber risk has low frequency, high severity, but is not predicable

• Following a hack / failure of IT systems (unavailability, operational error or denial of service),

liability claims for;

• Deletion, distortion, disruption of data, information and / or programs

• Breach of confidentiality of information / intellectual property,

• Bodily / Personal Injury,

• Property Damage,

• Advertising injury,

• Regulatory Investigations, fines and penalties

• Operational Outages – Network Interruption

• Others?

Exposures – Third Party Liability



Differing Insuring Clauses - Third Party Claims

• Privacy, Confidentiality and Security Liability

• The Insurer will pay on behalf of the Insured any Legal Liability or Defence Costs

arising out of a Claim alleging that the Insured committed or failed to prevent a

Wrongful Act

• Judgements, settlements, defence costs

• Credit card reissuance costs

• Website and Media (libel & slander, infringement claims)

Privacy & Network Security (Cyber)



Differing Insuring Clauses - Third Party Claims / First Party Costs

• Regulatory Defense and Penalties

• the Insurer will pay on behalf of the Insured any fine, penalty or compensatory

damages that the Insured is legally liable to pay, including legal fees and expenses

arising out of a Claim which is a regulatory proceeding against the Insured by an

applicable regulatory authority.

• Legal fees and expenses

• Investigation costs and expenses

• Damages, settlements or court awards

• Punitive & exemplary damages (where insurable) – PCI fines





• Following a hack / failure of IT systems (unavailability, operational error or denial of service),

costs incurred by the Insured to;

• Legal Counsel advice

• IT Forensics to help rectify damaged data, information or programs, including rebuilds

• Repurchasing of licenced software

• Increased Costs of Working to help mitigate or avoid larger losses / third party claims




Differing Insuring Clauses - First Party Costs

• Crisis Response – data and / or programmes

• The Insurer will pay to the Insured any reasonable and necessary expenses and

costs incurred by the Insured in restoring, updating, recreating or replacing

damaged, destroyed, lost, altered, corrupted, distorted, stolen or misused Digital

Assets.

• Legal fees and expenses

• Forensic costs / Additional Working hours

• Notification costs

• Crisis Management Costs;

• Call Centre set up

• Credit Monitoring

• Identity Theft

• Public Relations Consultants costs





• Following an extortion threat to carry out distribution of confidential information, to bring

down your IT systems, or simply input a virus;

• Legal Counsel advice

• IT Forensics to help rectify damaged data, information or programs, including rebuilds

• Hacktivist negotiation support

• The actual monetary demand or threat

Exposures – Extortion





• Cyber Extortion

• The Insurer will pay to the Insured any money or property paid by the Insured, as a

direct result of an Extortion Demand.

• A malicious and unjustified demand for money accompanied with a credible

threat

• Require Underwriters consent

• May need to notify the authorities




• Following a hack / failure of IT systems (e.g. unavailability, operational error, denial of

service);

• Network interruption arising directly from a hack / failure of IT systems – no other

physical peril and no loss of use of physical property, but resulting in the loss of use of

physical property

• Network interruption arising from physical damage caused by a physical peril.. caused

by a hack / failure of IT systems

• Increased costs of working arising from any of the above situations in order to avoid,

mitigate further Network Interruption loss or third party liability claims, or to get the

Insured back up and running sooner

Exposures – Business Interruption




• Business Interruption

• The Insurer will pay to the Insured any Income Loss and Interruption Expenses

from a suspension or deterioration of a total or partial interruption, degradation in

the service or failure of the Insured’s Network.

• Loss in revenue due to the interruption – difference between net income the

Insured would have earned and net income actually earned during the

restoration period

• Expenses Loss – additional expenses incurred to help minimise the interruption /

suspension (of business operations and to continue them) during the restoration

period over and above what the Insured would have normally incurred





• Following a hack / failure of IT systems (unavailability, operational error or denial of service), liability claims

for;

• Physical / Property Damage from fire and explosion following a hack / failure of IT systems

(unavailability or operational error) causing machinery breakdown (loss of ICS or email control of

systems, internal recklessness, sabotage or operational error)

• Terrorism or Industrial Sabotage (Hacktivists)

• Damage to physical property arising from a physical peril – caused by underlying hack (deemed

terrorism or not)

• Damage to physical property arising directly from a hack – that is not deemed terrorism / no other

physical peril

• Damage to physical property arising from a physical peril caused by failure of IT systems

(unavailability or operational error) - no underlying hack

• Damage to physical property arising directly from the failure of IT systems (unavailability or

operational error) - no other physical peril

Exposures – Physical Property Damage




• Ensuing Property Damage

• The policy pays for the cost of repair, replacement or reinstatement of the

Insured’s Property (in accordance with a defined valuation method) when the costs

of repair, replacement or reinstatement are as a result of physical loss or physical

damage, and caused by the use or operation of any computer system.





• Inspection, Loss Prevention and / or Mitigation costs

• The policy pays for the costs of inspection of the Insured’s computer systems

and digital assets prior to inception, as well as for future inspections (to be agreed).

• The policy also pays for any temporary mitigation or loss prevention costs taken.




Covers both Third Party litigation and First Party costs incurred by your Company

• Third Party Liability

• Regulatory Investigations & Actions

• Crisis Response

• Business Interruption

• Property Damage + Inspection Costs / Mitigation Costs




Do current policies exclude Cyber?

a) Property Damage / Business Interruption - subject to an “Institute Cyber attack exclusion

Clause CL380” which excludes all loss, damage, liability directly or indirectly caused by or

contributed to by or arising from the use or operation, as a means of inflicting harm of any

computer, computer software programme, malicious code, computer virus or process or

any other electronic system.

b) Terrorism - the policy is subject to an “Institute Cyber attack Exclusion Clause CL380” as

above

General Comment - a Cyber or Electronic Risk exclusion is applied to almost all Standard All

Risk policies and there are currently limited carve-back provisions for perils emanating from a

Cyber-Attack. Aon are working on pushing for cover (reviewing exclusions CL380 and

NMA2914 for example), but it is early days!

Exposures - Cyber Cover under existing insurance policies



Evolution of legislation is greatest driver, associated legal costs & fines, subsequent damage to reputation

Focuses the business on e-risk issues

Balance sheet protection

Access to insurer approved vendors enabling prompt and cost effective response

Key to avoid large loss is to act quickly

Privacy / Incident Response Plan is key

Legal expenses, crisis management costs, and public relations costs built in to ensure smooth transition to

normality

We purchase other insurance – why do we need this?

PI/GL/Crime/D&O etc. may only partially deal with some triggers

Liability cover may respond to loss of client data, but perhaps not own data,

Typical cover may exclude regulatory fines or penalties levied, notification or crisis management costs

Typical cover may exclude regulatory defence costs?

Business interruption insurances – (physical damage triggers only)

Different policy retentions / insurers – confusion and allocation complications

Why purchase Cyber insurance



Take Away Comments

Key points to consider when thinking through implementing a Cyber strategy

1. Insurance strategies have failed to keep up with the pace of this digital transformation

2. To improve this position, Risk and Insurance managers need to play a pivotal role in Cyber

Resilience through collaborating with senior management and technical stakeholders

3. This will help the business make more informed decisions on the appropriate level of investment

in resilience (mitigation & transfer)

4. Cyber insurance can be deployed to bolster the cyber response posture of the business in

addition to balance sheet protection

5. Doing so will unlock the value of cyber insurance toward the business Cyber Resilience strategy

Documents

Cyber Security as an Enterprise Risk · 2016-09-29 · Malware infections within air-gapped control system networks Exploitation of zero-day vulnerabilities in control system devices