Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Empower Results Day | 29 September 2016
Proprietary & Confidential
Client Name, Proposal # | Practice Group | Date (##.##.##) | Document # Optional
Proprietary & ConfidentialEmpower Results Day | 29 September 2016
Proprietary & Confidential
Cyber Security as an
Enterprise RiskHow do you identify and quantify your
cyber exposures?
Empower Results Day | 29 September 2016
Proprietary & Confidential
Client Name, Proposal # | Practice Group | Date (##.##.##) | Document # Optional
Proprietary & ConfidentialEmpower Results Day | 29 September 2016
Proprietary & Confidential
1. The Emergent Strategic Risk
2. The Distributed Problem
3. Risk Management as an Integrated Solution
4. Risk Transfer
Empower Results Day | 29 September 2016
Proprietary & Confidential
Client Name, Proposal # | Practice Group | Date (##.##.##) | Document # Optional
Proprietary & ConfidentialEmpower Results Day | 29 September 2016
Proprietary & Confidential
Section 1
The Emergent Strategic
Risk
Empower Results Day | 29 September 2016
Proprietary & Confidential
Bodily
Injury
Evolving Threat to Strategic Objectives
Businesses across
all industry verticals
are continuing to
invest in deploying
digital technologies
to stay competitive
and relevant
Automation
Connectivity
Technological Drivers Business Drivers Strategic Threat
Material
Damage
Data
Breach
Media
Liability
Product
Liability
Business
Interruption
Intellectual
Property
Increased application and reliance on digital technology has created more
complex, more impactful, exposures to cyber events
Brand /
Reputation
Empower Results Day | 29 September 2016
Proprietary & Confidential
2015 Global Risk Management Survey: Emerging Priorities
Cyber continues to increase in priority for Business Leaders
Aon’s 2015 Global Risk Management Survey, the fifth since 2007, is designed to offer insights
necessary to compete in an increasingly complex business environment.
Cyber risk, which ranked at number 18 in 2013, has now risen to number 9 Aon's 2015 Global
Risk Management Survey.
1Damage to
reputation/brand
3Regulatory/
Legislative
2Economic
Slowdown
4Increasing
Competition
5Failure to
attract or
retain talent
6Failure to
innovate7
Business
Interruption
8Third Party
Liability
9Computer Crime
/ Cyber
10Property DamageSource: World Economic Forum 2015, Aon Global Risk Management Survey 2015
$3 Trillion
by 2020
Empower Results Day | 29 September 2016
Proprietary & Confidential
Increasing Materiality of Cyber
Source: Aon Ponemon Survey 2015
Increasing digital transformation is creating greater financial exposure
In our recent Aon sponsored Ponemon survey it was revealed that the perceived value of both
tangible and intangible assets is relatively comparable; tangible assets reported were USD 872
million, compared to USD 845 million for intangible assets.
However, the impact and likelihood of threats to intangible assets occurring is viewed as
significantly greater than for tangible assets.
The impact from a
cyber event on
intangible assets is
+163% compared
to physical asset
maximum losses
Empower Results Day | 29 September 2016
Proprietary & Confidential
Cyber insurance strategies are falling behind
Source: Aon Cyber Captive Report 2016:
Cyber – Fast Moving Target
Insurance strategies are falling behind the pace of the corporate technology and
threat profile
Despite the growing frequency and scale of cyber attacks and increasing management focus,
more than half of surveyed companies do not buy cyber insurance.
Only 41% of
companies
currently purchase
Cyber Insurance
Why has there been this disconnect with the technology changes
and the insurance strategy?
Empower Results Day | 29 September 2016
Proprietary & Confidential
Client Name, Proposal # | Practice Group | Date (##.##.##) | Document # Optional
Proprietary & ConfidentialEmpower Results Day | 29 September 2016
Proprietary & Confidential
Section 2
The Distributed Problem
Empower Results Day | 29 September 2016
Proprietary & Confidential
Silo Focus to Measuring and Mitigating Cyber
Each silo is focused on one element of the overall digital profile and cyber risk
Although the technology and threat landscapes have rapidly evolved, companies continue to address
cyber risk in a distributed, disparate way.
Senior Management
Information Security
Legal / ComplianceHuman Resources
Focus on technology as a driver
of business strategy
Focus on employee vetting,
engagement, and training
Focus on managing data privacy
legal / regulatory position
Focus on safeguarding the
information ‘crown jewels’
against adversaries
Cyber is measured and
mitigated within each silo
across the company
Empower Results Day | 29 September 2016
Proprietary & Confidential
Keeping up with the conversation
Risk and Insurance Strategies are struggling to keep pace with digital change
Digital transformation is a continuing to create new business markets and organisational structures. This
can rapidly and radically change the business model and risk profile of the company. However, this
change does not cascade through the company at the same pace.
Risk and Insurance Strategies can struggle to keep up with this new digital (cyber) reality.
What role does the Risk Manager
play delivering an integrated
solution to this distributed problem?
Risk & Insurance
StrategyFinancing and Transferring the Risk
Profile
Business ModelPeople, Process, and Technology to
support ‘Business as Usual’
Digital FrontierApplying innovative digital
technologies to create new and
disrupt existing markets
+12-18 months change in
organisational structure and
architecture
+12-18 months change in risk
perception and understanding
Empower Results Day | 29 September 2016
Proprietary & Confidential
Client Name, Proposal # | Practice Group | Date (##.##.##) | Document # Optional
Proprietary & ConfidentialEmpower Results Day | 29 September 2016
Proprietary & Confidential
Section 3
Risk Management as an
Integrated Solution
Empower Results Day | 29 September 2016
Proprietary & Confidential
Risk Manager as the Agent of Change
Creating a paradigm shift to an ‘Enterprise’ approach to Cyber
Increasingly companies will need to align Cyber within the Enterprise Risk Management framework to
leverage appropriate data, risk analytics, and transfer strategies to make informed decisions concerning
‘Cyber Resilience’.
Accordingly Cyber needs to be seen as an organisational issue with exposures understood from a
business perspective; thereby interrogating the critical interdependencies across the company and
cyber ‘value at risk’.
Traditional ‘Cyber’ ERM ‘Cyber’ Model
Risk Owner IT owns Risk and Controls Business Risk
StakeholdersDivergent silos: Strategy, IT,
Security, HR, Legal
Greater convergence between
functions linked to achieving business
strategy
Appetite / Attitude “If it happens” “When it happens”
Strategy Prevention Resilience
Cyber Focus Protecting PerimetersProtecting Strategic Assets (crown
jewels)
Cyber Operating ModelLayering Cybersecurity on top of the
business
Building Cybersecurity into business
processes
Empower Results Day | 29 September 2016
Proprietary & Confidential
Integrating Discrete Silos
Creating an appropriate Risk Architecture for the cyber profile
Companies need to solve these distributed problems with an integrated approach and collaborative
solution to preventing, mitigating and transferring cyber-related exposures.
The Role of Risk
Management to drive
convergence
Collaborating with
senior stakeholders and
aligning to the corporate
risk framework
Senior Management Information Security Legal / ComplianceHuman Resources
Risk Management
- Business Strategy
- Priority Risks & Issues
- Risk Appetite
- Vetting & Onboarding
- Employee Engagement
- Training & Awareness
- Crown Jewels
- Threats
- Cybersecurity posture
- Vendor Contracts
- Regulatory Framework
- Legal Response
Empower Results Day | 29 September 2016
Proprietary & Confidential
Establishing a Cyber framework
“What cyber
exposures do we
have?”
“How bad could
the risks be to the
balance sheet?”
“What coverage
do we have /
could we have?”
“How can we
mitigate cyber
exposures?”
“How can we
optimise self-
retention?”
“How can we
expedite cyber
claims payment?”
Journey to defining and implementing a more fit-for-purpose Cyber
Resilience Strategy
Empower Results Day | 29 September 2016
Proprietary & Confidential
What exposures do we have?
Conduct risk profiling to identify and analyse cyber scenarios with the cross
functional team
1Agree the ‘Crown
Jewels’
2Identify Threat
Scenarios
3Define the control
environment
Empower Results Day | 29 September 2016
Proprietary & Confidential
What exposures do we have?
Conduct risk profiling to identify and analyse cyber scenarios with the cross
functional team
1Agree the ‘Crown
Jewels’
2Identify Threat
Scenarios
3Define the control
environment
Operational Technology
Commercially Sensitive
Employee Data
Financial / Legal Data
Empower Results Day | 29 September 2016
Proprietary & Confidential
What exposures do we have?
Conduct risk profiling to identify and analyse cyber scenarios with the cross
functional team
1Agree the ‘Crown
Jewels’
2Identify Threat
Scenarios
3Define the control
environment
Empower Results Day | 29 September 2016
Proprietary & Confidential
What exposures do we have?
Conduct risk profiling to identify and analyse cyber scenarios with the cross
functional team
1Agree the ‘Crown
Jewels’
2Identify Threat
Scenarios
3Define the control
environment
Utilise a
Cybersecurity
framework to map
the current control
environment
Empower Results Day | 29 September 2016
Proprietary & Confidential
Evaluating the Balance Sheet Impact
Conducting simulations of the cyber scenarios to model financial impact
Building on the analysis during the risk profiling stage, the team should generate financial values for
each scenario within a consistent cost framework:
Compromised
ICS/SCADA
Manual work around by production
teams and overtime incurred
throughout ICS hack
Denial of access to Industrial
Control System
Production / Performance Data
compromised during attack
Increased Cost of Working /
Activation of BCM/DR
arrangements
3rd
Party Crisis Response
(Investigation, Response, and
Remediation)
Stoppage of ICS to investigate
compromise (48 hours)
Rebuild / Restore of corrupted
system data
Forced downtime of Industrial
Control System (6/8 hours)SQL injection via exploitation of
web application vulnerabilities
Malware infections within air-
gapped control system
networks
Exploitation of zero-day
vulnerabilities in control system
devices and software
Lateral movement between
network zones
Unauthorized access and
exploitation of Internet facing
ICS/SCADA devices
Network scanning and probing
Targeted spear-phishing
campaigns
Strategic web site compromises
(a.k.a., watering hole attacks).
Compromised Corporate
Network
Translating cyber scenarios into financial impact – applying risk assessment techniques to
build the financial profile for each cyber risk scenario
Commercial Impacts Financial Model
Empower Results Day | 29 September 2016
Proprietary & Confidential
Determining Current and Target Coverage
Stress Testing the existing Insurance Programme
Following the mapping and quantification of cyber exposures, insurability analysis will help clearly
determine those risks that are potentially insurable and those that are uninsurable and will be retained:
This process will involve conducting a gap analysis of the identified insurable cyber exposures against
the insurance programme to identify which covers are impacted by a future claim or any potential gaps
in indemnity.
Determine Gaps
Identify Enhancements
Improve Insurance Awareness
Empower Results Day | 29 September 2016
Proprietary & Confidential
Take Away Comments
Key points to consider when thinking through implementing a Cyber strategy
1. Insurance strategies have failed to keep up with the pace of this
digital transformation
2. To improve this position, Risk and Insurance managers need to
play a pivotal role in Cyber Resilience through collaborating with
senior management and technical stakeholders
3. This will help the business make more informed decisions on the
appropriate level of investment in resilience (mitigation & transfer)
4. Cyber insurance can be deployed to bolster the cyber response
posture of the business in addition to balance sheet protection
5. Doing so will unlock the value of cyber insurance toward the
business Cyber Resilience strategy
Empower Results Day | 29 September 2016
Proprietary & Confidential
Client Name, Proposal # | Practice Group | Date (##.##.##) | Document # Optional
Proprietary & ConfidentialEmpower Results Day | 29 September 2016
Proprietary & Confidential
Section 4
Risk Transfer
Empower Results Day | 29 September 2016
Proprietary & Confidential
In the past, it was all about in-tangible assets; data and programmes…
Large amounts of customer, corporate and employee data?
Resources allocated to physical perils rather than information and systems security
Processing of Credit and Debit Cards in “Retail” and “Marketing”
Supervisory Control and Data Acquisition (SCADA) - sophisticated Industrial Control Systems (ICS)
Vulnerability to cyber-attacks as processes are increasingly automated, rely heavily on ICS’ to help
reduce costs, improve efficiency, streamline operations and provide competitive cost advantages
Currently, ICS’ are isolated from the outside world, but with newer advanced versions of operating
systems and connected devices, information sharing and connectivity may be of concern
Considerations
Empower Results Day | 29 September 2016
Proprietary & Confidential
Evolving smart grid technology introduces changing risks where new energy systems are
increasingly connected to the “Internet of Things” (IoT), opening up new security
vulnerabilities due to sheer number of connected systems and the low or nonexistent
security often placed around simple devices
Hackers becoming more and more sophisticated in their targeting, with tools to assist in
hacking anything (e.g. from a small webcam to a turbine control system or a tank
management system)
Phishing emails seem to be reaching the computers of senior employees more and more
Continual growth in Regulation and Data Privacy legislation
Third Party Liabilities – individual verses corporate
Infrastructure is deemed by many as a national security concern due to its critical nature
Considerations
Empower Results Day | 29 September 2016
Proprietary & Confidential
Cyber risk has low frequency, high severity, but is not predicable
• Following a hack / failure of IT systems (unavailability, operational error or denial of service),
liability claims for;
• Deletion, distortion, disruption of data, information and / or programs
• Breach of confidentiality of information / intellectual property,
• Bodily / Personal Injury,
• Property Damage,
• Advertising injury,
• Regulatory Investigations, fines and penalties
• Operational Outages – Network Interruption
• Others?
Exposures – Third Party Liability
Client Name, Proposal # | Practice Group | Date (##.##.##) | Document # Optional
Proprietary & Confidential
Differing Insuring Clauses - Third Party Claims
• Privacy, Confidentiality and Security Liability
• The Insurer will pay on behalf of the Insured any Legal Liability or Defence Costs
arising out of a Claim alleging that the Insured committed or failed to prevent a
Wrongful Act
• Judgements, settlements, defence costs
• Credit card reissuance costs
• Website and Media (libel & slander, infringement claims)
Privacy & Network Security (Cyber)
Client Name, Proposal # | Practice Group | Date (##.##.##) | Document # Optional
Proprietary & Confidential
Differing Insuring Clauses - Third Party Claims / First Party Costs
• Regulatory Defense and Penalties
• the Insurer will pay on behalf of the Insured any fine, penalty or compensatory
damages that the Insured is legally liable to pay, including legal fees and expenses
arising out of a Claim which is a regulatory proceeding against the Insured by an
applicable regulatory authority.
• Legal fees and expenses
• Investigation costs and expenses
• Damages, settlements or court awards
• Punitive & exemplary damages (where insurable) – PCI fines
Privacy & Network Security (Cyber)
Empower Results Day | 29 September 2016
Proprietary & Confidential
Cyber risk has low frequency, high severity, but is not predicable
• Following a hack / failure of IT systems (unavailability, operational error or denial of service),
costs incurred by the Insured to;
• Legal Counsel advice
• IT Forensics to help rectify damaged data, information or programs, including rebuilds
• Repurchasing of licenced software
• Increased Costs of Working to help mitigate or avoid larger losses / third party claims
Privacy & Network Security (Cyber)
Client Name, Proposal # | Practice Group | Date (##.##.##) | Document # Optional
Proprietary & Confidential
Differing Insuring Clauses - First Party Costs
• Crisis Response – data and / or programmes
• The Insurer will pay to the Insured any reasonable and necessary expenses and
costs incurred by the Insured in restoring, updating, recreating or replacing
damaged, destroyed, lost, altered, corrupted, distorted, stolen or misused Digital
Assets.
• Legal fees and expenses
• Forensic costs / Additional Working hours
• Notification costs
• Crisis Management Costs;
• Call Centre set up
• Credit Monitoring
• Identity Theft
• Public Relations Consultants costs
Privacy & Network Security (Cyber)
Empower Results Day | 29 September 2016
Proprietary & Confidential
Cyber risk has low frequency, high severity, but is not predicable
• Following an extortion threat to carry out distribution of confidential information, to bring
down your IT systems, or simply input a virus;
• Legal Counsel advice
• IT Forensics to help rectify damaged data, information or programs, including rebuilds
• Hacktivist negotiation support
• The actual monetary demand or threat
Exposures – Extortion
Client Name, Proposal # | Practice Group | Date (##.##.##) | Document # Optional
Proprietary & Confidential
Privacy & Network Security (Cyber)
Differing Insuring Clauses - First Party Costs
• Cyber Extortion
• The Insurer will pay to the Insured any money or property paid by the Insured, as a
direct result of an Extortion Demand.
• A malicious and unjustified demand for money accompanied with a credible
threat
• Require Underwriters consent
• May need to notify the authorities
Empower Results Day | 29 September 2016
Proprietary & Confidential
Cyber risk has low frequency, high severity, but is not predicable
• Following a hack / failure of IT systems (e.g. unavailability, operational error, denial of
service);
• Network interruption arising directly from a hack / failure of IT systems – no other
physical peril and no loss of use of physical property, but resulting in the loss of use of
physical property
• Network interruption arising from physical damage caused by a physical peril.. caused
by a hack / failure of IT systems
• Increased costs of working arising from any of the above situations in order to avoid,
mitigate further Network Interruption loss or third party liability claims, or to get the
Insured back up and running sooner
Exposures – Business Interruption
Client Name, Proposal # | Practice Group | Date (##.##.##) | Document # Optional
Proprietary & Confidential
Differing Insuring Clauses - First Party Costs
• Business Interruption
• The Insurer will pay to the Insured any Income Loss and Interruption Expenses
from a suspension or deterioration of a total or partial interruption, degradation in
the service or failure of the Insured’s Network.
• Loss in revenue due to the interruption – difference between net income the
Insured would have earned and net income actually earned during the
restoration period
• Expenses Loss – additional expenses incurred to help minimise the interruption /
suspension (of business operations and to continue them) during the restoration
period over and above what the Insured would have normally incurred
Privacy & Network Security (Cyber)
Empower Results Day | 29 September 2016
Proprietary & Confidential
Cyber risk has low frequency, high severity, but is not predicable
• Following a hack / failure of IT systems (unavailability, operational error or denial of service), liability claims
for;
• Physical / Property Damage from fire and explosion following a hack / failure of IT systems
(unavailability or operational error) causing machinery breakdown (loss of ICS or email control of
systems, internal recklessness, sabotage or operational error)
• Terrorism or Industrial Sabotage (Hacktivists)
• Damage to physical property arising from a physical peril – caused by underlying hack (deemed
terrorism or not)
• Damage to physical property arising directly from a hack – that is not deemed terrorism / no other
physical peril
• Damage to physical property arising from a physical peril caused by failure of IT systems
(unavailability or operational error) - no underlying hack
• Damage to physical property arising directly from the failure of IT systems (unavailability or
operational error) - no other physical peril
Exposures – Physical Property Damage
Client Name, Proposal # | Practice Group | Date (##.##.##) | Document # Optional
Proprietary & Confidential
Differing Insuring Clauses - First Party Costs
• Ensuing Property Damage
• The policy pays for the cost of repair, replacement or reinstatement of the
Insured’s Property (in accordance with a defined valuation method) when the costs
of repair, replacement or reinstatement are as a result of physical loss or physical
damage, and caused by the use or operation of any computer system.
Privacy & Network Security (Cyber)
Client Name, Proposal # | Practice Group | Date (##.##.##) | Document # Optional
Proprietary & Confidential
Differing Insuring Clauses - First Party Costs
• Inspection, Loss Prevention and / or Mitigation costs
• The policy pays for the costs of inspection of the Insured’s computer systems
and digital assets prior to inception, as well as for future inspections (to be agreed).
• The policy also pays for any temporary mitigation or loss prevention costs taken.
Privacy & Network Security (Cyber)
Empower Results Day | 29 September 2016
Proprietary & Confidential
Covers both Third Party litigation and First Party costs incurred by your Company
• Third Party Liability
• Regulatory Investigations & Actions
• Crisis Response
• Business Interruption
• Property Damage + Inspection Costs / Mitigation Costs
Privacy & Network Security (Cyber)
Empower Results Day | 29 September 2016
Proprietary & Confidential
Do current policies exclude Cyber?
a) Property Damage / Business Interruption - subject to an “Institute Cyber attack exclusion
Clause CL380” which excludes all loss, damage, liability directly or indirectly caused by or
contributed to by or arising from the use or operation, as a means of inflicting harm of any
computer, computer software programme, malicious code, computer virus or process or
any other electronic system.
b) Terrorism - the policy is subject to an “Institute Cyber attack Exclusion Clause CL380” as
above
General Comment - a Cyber or Electronic Risk exclusion is applied to almost all Standard All
Risk policies and there are currently limited carve-back provisions for perils emanating from a
Cyber-Attack. Aon are working on pushing for cover (reviewing exclusions CL380 and
NMA2914 for example), but it is early days!
Exposures - Cyber Cover under existing insurance policies
Empower Results Day | 29 September 2016
Proprietary & Confidential
Evolution of legislation is greatest driver, associated legal costs & fines, subsequent damage to reputation
Focuses the business on e-risk issues
Balance sheet protection
Access to insurer approved vendors enabling prompt and cost effective response
Key to avoid large loss is to act quickly
Privacy / Incident Response Plan is key
Legal expenses, crisis management costs, and public relations costs built in to ensure smooth transition to
normality
We purchase other insurance – why do we need this?
PI/GL/Crime/D&O etc. may only partially deal with some triggers
Liability cover may respond to loss of client data, but perhaps not own data,
Typical cover may exclude regulatory fines or penalties levied, notification or crisis management costs
Typical cover may exclude regulatory defence costs?
Business interruption insurances – (physical damage triggers only)
Different policy retentions / insurers – confusion and allocation complications
Why purchase Cyber insurance
Empower Results Day | 29 September 2016
Proprietary & Confidential
Take Away Comments
Key points to consider when thinking through implementing a Cyber strategy
1. Insurance strategies have failed to keep up with the pace of this digital transformation
2. To improve this position, Risk and Insurance managers need to play a pivotal role in Cyber
Resilience through collaborating with senior management and technical stakeholders
3. This will help the business make more informed decisions on the appropriate level of investment
in resilience (mitigation & transfer)
4. Cyber insurance can be deployed to bolster the cyber response posture of the business in
addition to balance sheet protection
5. Doing so will unlock the value of cyber insurance toward the business Cyber Resilience strategy