CYBER SECURITY & RISK MANAGEMENT - Aon · Financier Worldwide canvasses the opinions of leading professionals around the world on the latest trends in cyber security & risk management

CYBER SECURITY & RISK MANAGEMENT

A N N UA L R E V I E W 2 0 1 5

Published by

Financier Worldwide

23rd Floor, Alpha Tower

Suffolk Street, Queensway

Birmingham B1 1TT

United Kingdom

Telephone: +44 (0)845 345 0456

Fax: +44 (0)121 600 5911

Email: [email protected]

www.financierworldwide.com

Copyright © 2015 Financier Worldwide

All rights reserved.

Annual Review • July 2015

Cyber Security & Risk Management

No part of this publication may be copied, reproduced, transmitted or held in a

retrievable system without the written permission of the publishers.

Whilst every effort is made to ensure the accuracy of all material published in

Financier Worldwide, the publishers accept no responsibility for any errors or

omissions, nor for any claims made as a result of such errors or omissions.

Views expressed by contributors are not necessarily those of the publisher.

Any statements expressed by professionals in this publication are understood to

be general opinions and should not be relied upon as legal or financial advice.

Opinions expressed herein do not necessarily represent the views of the author’s

firm or clients or of any organisations of which the author is a member.

Cyber Security & Risk ManagementJ U LY 2 0 1 5 • A N N U A L R E V I E W

F i n a n c i e r Wo r l d w i d e c a n v a s s e s t h e o p i n i o n s o f l e a d i n g p r o f e s s i o n a l s a r o u n d t h e w o r l d o n t h e l a t e s t t r e n d s i n c y b e r s e c u r i t y & r i s k m a n a g e m e n t .

Cyber Security & Risk ManagementJ U LY 2 0 1 5 • A N N U A L R E V I E W

Contents

UNITED STATES ..................................................... 06Mary Guzman MCGRIFF, SEIBELS & WILLIAMS, INC.

UNITED KINGDOM ................................................ 10Jamie Bouloux CFC UNDERWRITING, LTD

SPAIN ................................................................... 14Claudia Gómez AON RISK SOLUTIONS

GERMANY ............................................................. 18Johannes Behrends AON RISK SOLUTIONS

NETHERLANDS ...................................................... 22Matthijs Geerts AON RISK SOLUTIONS

SCANDINAVIA ...................................................... 26Kristoffer Haleen WILLIS AB

AUSTRALIA ........................................................... 30Emma Osgood AIG AUSTRALIA

SOUTH AFRICA ..................................................... 34Kenneth van Sweeden AUTO & GENERAL

ISRAEL .................................................................. 38Sharon Shaham AIG ISRAEL INSURANCE COMPANY LIMITED

A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T 2 0 1 5

A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T 2 0 1 5

Cyber risk management is one of the most important and often discussed issues in the modern business landscape.

Today, the number of successful cyber attacks launched annually is on the rise. Though some industries are more susceptible than others, cyber security affects companies across a wide gamut of sectors. From multinational entertainment companies like Sony, to large national retailers like Target, to local ‘mom and pop’ stores, and even government agencies, nobody is safe.

Cyber crime primarily relates to financial gain and cyber criminals are now fully aware of the value of personal data. In recent years, sensitive personal information including medical records and social security numbers has been stolen and sold on the open market. Hackers today are not simply one-man-bands operating out of a bedroom; often they are part of sophisticated and well equipped organisations. In some instances, they are even state sponsored.

As a result of the sheer volume and complexity of these attacks, many companies struggle to defend themselves from external and internal threats. The so called ‘Internet of Things’, while it promises new opportunities, poses a host of issues for companies battling to protect their assets. Unfortunately, this situation will only worsen in years to come. As we grow more reliant on electronic data and technology, the onus will be on companies and regulators to act.

Thankfully, boards are beginning to take notice. Cyber security and risk management is increasingly being viewed as an executive issue, not simply an IT issue. As companies face threats from a litany of parties, including organised crime rings, disgruntled employees, nation states and hacktivists, companies are crafting breach response plans are taking out cyber insurance policies. On a governmental level, revisions to data privacy legislation may help turn the tide. Lawmakers are scrambling to keep up with technological innovations and evolving threats to personal data, to avoid being left behind by progressive cyber criminals.

INTRODUCTION

A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T

6 • F INANCIER WORLDWIDE • JULY 2015 www.f inancierworldwide.com


UNITED STATESMARY GUZMANMCGRIFF, SEIBELS & WILLIAMS, INC.

GUZMAN: Certain industries, such as retail, due to the inherent vulnerabilities

in current card processing and Point of Sale (POS) systems, and healthcare, are

perhaps bigger targets than others, but none are immune. A lesser known, but

more worrisome risk, lies within the vulnerabilities of ‘embedded’ firmware,

such as Industrial Control Systems like SCADA, switching devices, cameras,

conferencing phones, and temperature control, and other command and

control related devices not typically accessed through a keyboard or end-

user device. Additionally, hackers are penetrating medical devices to bypass

hospital security measures because typical scanning and detection systems

cannot find harmful activity within these closed systems. The ‘Internet of

Things’ facilitates hacking technologies that can cause physical damage

or bodily injury, which has become more prevalent and, at the same time,

difficult to defend against. Theft of intellectual property costs companies

billions of dollars a year but doesn’t garner the same headlines as privacy

breaches, as these breaches do not directly impact the individual. There have

been multiple high profile cyber attacks on both retail systems and healthcare

in recent months. The incidents with the highest level of interest from the

insurance community are the Target and Anthem breaches. The former is

attracting attention because the issuing banks – which generally are not fully

reimbursed by the card brands for the cost of card reissuance following a retail

breach – are directly suing the merchant for those costs. If successful, the case

would set a major precedent for potential costs following a breach, increasing

the risk for the merchant and its insurers.

GUZMAN: Boards are certainly more aware of the risks and their

responsibilities for oversight of security policies and procedures – particularly

public companies. However, many boards and executive leadership focus

extensively on compliance with particular laws and regulations, but not as

much on actual breach prevention and response preparedness. Companies

are challenged due to the natural conflict between doing the right thing

Q GIVEN THE RISKS, DO

YOU BELIEVE COMPANIES

ARE PLACING ENOUGH

IMPORTANCE ON CYBER

SECURITY? ARE BOARD

Q IN YOUR OPINION,

WHAT ARE THE MAJOR

CYBER THREATS TO WHICH

TODAY’S COMPANIES ARE

VULNERABLE? COULD YOU

COMMENT ON ANY RECENT,

HIGH PROFILE CYBER

ATTACKS IN THE US?

A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N TA N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T

JULY 2015 • F INANCIER WORLDWIDE • 7 8www.f inancierworldwide.com

UNITED STATES • MARY GUZMAN • MCGRIFF, SEIBELS & WILLIAMS, INC.

and managing expenses. Eventually, there will either be further regulation

or case law that establishes a minimum standard for negligence, which will

further drive board level decisions around IT security. There is a lot of focus on

benchmarking – companies want to spend and do as much as their peers but

are reluctant to go much further.

GUZMAN: The SEC is taking a harder position on the security policies and

breach disclosures of public companies. This action, coupled with various

initiatives within the financial institution, healthcare and utility industries, is

helping to drive better behaviour. Nevertheless, no regulation or compliance

effort will make any company impenetrable. Many companies are adopting

the NIST framework as a guideline or a common framework against which

organisations can be mapped and measured for security maturity and

diligence.

GUZMAN: In today’s environment, security breaches cannot be completely

avoided. Sophisticated phishing scams, malware, DDoS attacks and zero day

exploits are realities with which we must live. Continuous education, vigilance

and improvements in security policies and procedures – people, process,

and technology – can go a long way toward mitigating the likelihood and

severity of the outcome. Many companies are less focused on keeping hackers

out and more concentrated on keeping data from being exfiltrated once a

hacker or employee who exceeds their access privileges is inside. Data asset

classification and specific plans around the protection of the most sensitive

data are crucial; whether at rest, in transit or in the hands of a third party

service provider. There should be a much heavier emphasis, in our experience,

on what security protocols a company’s vendors have in place. Mobile device

security is another area that still demands major improvement for most

companies.

MEMBERS TAKING A

PROACTIVE, HANDS-ON

APPROACH TO IMPROVING

POLICIES AND PROCESSES?

Q IN YOUR EXPERIENCE,

WHAT STEPS SHOULD

COMPANIES TAKE TO

AVOID POTENTIAL CYBER

BREACHES – EITHER FROM

EXTERNAL SOURCES

SUCH AS HACKERS OR

INTERNAL SOURCES SUCH

AS ROGUE EMPLOYEES?

WHAT KEY QUESTIONS

SHOULD THEY BE ASKING

WHEN REVIEWING AND

REINFORCING THEIR

SYSTEMS AND CONTROLS?

Q TO WHAT EXTENT HAVE

CYBER SECURITY AND DATA

PRIVACY REGULATIONS

CHANGED IN THE US? HOW

ARE THESE DEVELOPMENTS

AFFECTING THE WAY

COMPANIES MANAGE AND

MAINTAIN COMPLIANCE?




GUZMAN: First and foremost, the company should already have in place a

tested breach response plan with key expert resources pre-selected to assist

them from the onset. This plan would include the designation of the central

authority figure at the company who will manage all the moving parts following

breach discovery. It is often the general counsel along with outside privacy

counsel who should be well versed in state and federal laws, familiar with

the nuances in breach investigations, well acquainted with the expectations

of the states Attorneys General, and should have seasoned expertise in

guiding other organisations through past crises. A successful breach response

strategy will include both senior and operations personnel who will be key

contributors in executing the tactical plan. This includes managing the various

external resources needed to forensically investigate the source and scope of

the breach, provide notice to customers and accessible call centre services,

offer credit monitoring and identity theft restoration solutions, responses to

regulatory investigations, and manage public relations.

GUZMAN: Well crafted cyber insurance programs can cover many of the

costs associated with data and network security breaches, including the

resulting legal liabilities. Brokers and insurers have worked collaboratively

to offer meaningful risk transfer solutions with special coverage grants for

risks unique to certain industry groups. Insurers are developing new solutions

to best underwrite catastrophic insurance protection as concerns heighten

around cyber attacks that generate potential claims for actual property

damage losses or for bodily injury. Directors would benefit from conducting

a holistic enterprise-wide risk analysis of the company’s likely and worst case

scenarios, and determine how its current insurance program provides for

loss recovery. The biggest challenge insurers are facing today is the potential

impact of a cyber breach on tangible property. Many of the traditional

property, terrorism, general liability and pollution markets are not prepared to

underwrite the aggregation risk implicated by a massive, coordinated attack

on critical infrastructure. The intense level of communication taking place

between public and private industry to address this issue will likely involve

much more scrutiny around security maturity and ‘insurability’ of various

clients, therefore necessitating creative insurance, reinsurance and other

Q IN WHAT WAYS CAN RISK

TRANSFER AND INSURANCE

HELP COMPANIES AND THEIR

D&OS TO DEAL WITH CYBER

RISK, POTENTIAL LOSSES AND

RELATED LIABILITIES? HOW

ARE INSURANCE PROVIDERS

ADJUSTING OR ENHANCING

THEIR INSURANCE SOLUTIONS

TO MEET MARKET NEEDS?


Q HOW SHOULD FIRMS

RESPOND IMMEDIATELY AFTER

FALLING VICTIM TO CYBER

CRIME, TO DEMONSTRATE

THAT THEY HAVE DONE THE

RIGHT THING IN THE EVENT

OF A CYBER BREACH OR DATA

LOSS?


JULY 2015 • F INANCIER WORLDWIDE • 9www.f inancierworldwide.com

Mary Guzman

Senior Vice President

McGriff, Seibels & Williams

+1 (404) 497 7535

[email protected]

financial backstop solutions. Many coverage deficiencies can be remedied by

existing cyber insurance or some of these creative new solutions, and if not,

companies can adopt an appropriate self-insurance strategy as part of their

overall preparedness plan.

GUZMAN: The major cyber threats companies will face in the coming

years include the constantly evolving exploits used to access critical data

and proprietary systems by both insiders and third parties. This includes

organised crime rings, disgruntled employees, nation-states and hacktivists.

People, processes and technology are all easily compromised if the ‘hacker’

understands how to manipulate each of these three legs to the security ‘stool’.

They fully understand the vulnerabilities created by vendors, mobile devices

and internet-facing connections, as well as the human tendency to bypass or

circumvent strong controls for convenience and expediency.

Mary Guzman is a Senior Vice President in the Errors & Omissions and Information Security practice of McGriff, Seibels & Williams. Her concentration is on the design, placement and oversight of customised executive risk solutions for the Fortune 1000 and other complex accounts. Ms Guzman has a strong background in errors and omissions/professional liability, cyber/privacy, and media risks across industry groups. Her current responsibilities include the strategic leadership role for both clients and the insurance markets relative to product and service development, education and consulting, and the development of market capacity in difficult to insure industries such as energy and financial institutions.

Q WHAT ARE YOUR

PREDICTIONS FOR CYBER

CRIME AND DATA SECURITY

IN THE US OVER THE

COMING YEARS?


“ The major cyber threats companies will face in the coming years include the constantly evolving exploits used to access critical data and proprietary systems by both insiders and third parties.”




UNITED KINGDOMJAMIE BOULOUXCFC UNDERWRITING, LTD

BOULOUX: The reality is that cyber threats have not changed over the past

few years. Companies continue to be vulnerable to data asset theft, network

and system failure, and ever increasingly the reliability of their IT supply

chain. Considering these vectors for exploitation, any given company could

suffer a cyber event, whether malicious or accidental. Unfortunately, the

challenge is that the perpetrators of cyber crime have grown exponentially,

as unlike traditional crime these attacks are faceless, low risk, lucrative, and

can be impactful on any given entity. The recent attack against Germany’s

Bunderstag reminds us of the potential for weapon grade cyber code,

such as 2010’s Stuxnet, and has created cause for concern as nation state

infiltration continues to be a threat to both government and industry.

New York’s Department of Financial Services has raised concerns around a

potential ‘cyber 9/11’ in which it is understood that a hack into Wall Street

firms could “spill over into the broader economy”.

BOULOUX: It is apparent that cyber is becoming more of a board level

discussion. The existence of many companies is based upon their ability to

collect, utilise and ultimately trade their intellectual assets in their respective

markets. Subsequently, the dynamic of traditional valuation has changed

as companies are coming to realise that their intangible property – data

– is often far more valuable than their current assets. As a standard, where

physical security controls and internal fire sprinklers protect office facilities

and human capital, organisations are investing heavily in applying IT and

network security infrastructures to provide similar protections. With many

companies outsourcing this function to data security specialists. The US has

benefited from SEC guidance around companies having to ascertain not

only the financial implications but also the operational implications of a

cyber attack to their organisation. With the potential for diminished share

holder valuation, and the threat of a violation of Rule 10b-5, ‘cyber’ has had

Q IN YOUR OPINION,

WHAT ARE THE MAJOR





HIGH PROFILE CYBER

ATTACKS IN THE UK?



ARE PLACING ENOUGH

IMPORTANCE ON CYBER

SECURITY? ARE BOARD

MEMBERS TAKING A

PROACTIVE, HANDS-ON





to become a boardroom discussion, with table top business continuity and

incident response planning becoming the norm.

BOULOUX: Europe has been waiting since 2012 for the new Data Protection

legislation, and continues to be governed by a directive which dates back to

1995. Subsequently, many parts of Asia and South America which trade and

benefit from safe harbour with Europe are waiting to see how the legislation

develops before they deliver their own cyber regulations. The result is that

many companies don’t manage compliance around maintaining the integrity

of their data. The obvious concern to industry which needs to be addressed,

even if not through regulation, concerns the potential for theft of data and

a loss of rate on investment of intellectual capital.

BOULOUX: From system configuration and data segregation, to IT

security management and external monitoring protocols, to even vendor

management, the challenges of managing external threats are complicated

and numerous. However, unfortunately the statistics still suggest that

employee error and malicious intent are the biggest culprits for the

proliferation of cyber attacks. Subsequently, companies should not only be

limiting the rights and access controls employees have within the company’s

internal networks, but should be implementing training strategies and

drive awareness around cyber attacks and the operational and financial

implications of dealing with these breaches. However, given the scope of

security management, and the propensity for an event, a detailed audited

response plan which has been tested can often be just as important as the

most resilient of security architectures.

UNITED KINGDOM • JAMIE BOULOUX • CFC UNDERWRITING, LTD



PRIVACY REGULATIONS

CHANGED IN THE UK? HOW


AFFECTING THE WAY




WHAT STEPS SHOULD

COMPANIES TAKE TO



EXTERNAL SOURCES

SUCH AS HACKERS OR


AS ROGUE EMPLOYEES?

WHAT KEY QUESTIONS


WHEN REVIEWING AND

REINFORCING THEIR





BOULOUX: Every firm is different, and will endure a cyber event with its own

unique challenges. However, preparedness is essential. Companies should be

looking to show that they were able to execute an effective, audited breach

response plan and business continuity plan. Whether the firm outsources,

operates managed systems or has a robust IT department, it should have

predetermined vendors to help identify, mediate and resolve any potential

issues. A company’s first priority should be to get back up and running and

trading or producing as soon as possible. Further, know your facts before you

notify your clients, and of course notify your insurance company.

BOULOUX: Cyber insurance solutions should mean different things for

different companies, based on size and industry. Large companies should

be looking for insurance solutions to align with their strategy for managing

through a cyber event. Whether the event suffered is a breach of third party

data or a business interruption, large corporates tend to have robust internal

IT departments that work with preferred vendors to manage these events. As

a result, insurance for these companies should be working as a risk transfer

solution to provide financial protection, and as a failsafe vendor provider

for any overlooked processes – such as notification and ID theft monitoring

– to the affected companies. Conversely, cyber insurance can play a much

more meaningful role for smaller companies. Consider that many insurance

providers have aligned with security, legal and other third party vendors to

develop their solutions and are able to leverage costs against portfolios to

ensure that clients get quality service at better rates. The concept of providing

‘solutions’ for smaller clients allows for swift and effective event management,

which helps companies revert to full capacity and limit any financial loss. This

means that SME clients should be asking their brokers to provide details of

service and contract when looking at purchasing cyber insurance.

BOULOUX: Cyber crime remains an exploit of opportunity. As a result, we

expect to see a continued increase in the number of smaller and midsized

companies affected. Furthermore, given the ‘facelessness’ of the crime, and

the ability to appropriate large volumes of data, and move it in the open












Q WHAT ARE YOUR



Q HOW SHOULD FIRMS







LOSS?

“ Companies should be looking to show that they were able to execute an effective, audited breach response plan and business continuity plan.”



market, we will continue to see large companies subjected to these incidents.

The challenge is to understand where the next area of opportunity will be.

Retail, healthcare, education and financial institutions are all susceptible to

large scale exfiltration and can cause serious consumer cynicism, which not

only affects the individual corporate brand but will continue to challenge

the social contract with big business and the willingness for consumers

to share data. A further concern is that cyber crime moves away from

the financially motivated crime of opportunity, or even statement of

hacktivism. As governments continue to enter the fourth vector of war,

‘cyber’, as a geopolitical tool for advancement and retaliation, has the

ability to destabilise economies or even be weaponised. These concerns are

driving legislatures to develop standards around the ‘duty of care’ for data

at the private and public sector level. Increased attacks on corporates and

even government facilities will drive increased legislation and a continued

demand for consumer and national security.


Jamie Bouloux

Corporate Cyber

CFC Underwriting, Ltd.

+44 (0)020 7220 8500

[email protected]

A well-known and highly respected figure in the global cyber market, Jamie Bouloux joined CFC Underwriting in early 2015 to drive the development of the company’s large corporate cyber product on a global basis. Prior to joining, Mr Bouloux was head of cyber products and technology and media liability for Europe, Middle East and Africa at AIG and served as network security product leader and executive liability underwriter at AIG in the US.

IN THE UK OVER THE

COMING YEARS?




SPAIN

Q IN YOUR OPINION,

WHAT ARE THE MAJOR





HIGH PROFILE CYBER

ATTACKS IN SPAIN?

CLAUDIA GÓMEZAON RISK SOLUTIONS

GÓMEZ: We would say malware, cyber espionage, insiders, data

breaches and cyber crime continue to be the most harmful threats that

companies face today. However, companies are increasingly embracing

the ‘Internet of Things’ – technologies which will provide momentum to

their businesses and will help them to stay ahead of their competition.

Although nobody is completely sure of the implications of the Internet

of Things for both privacy and security, there will be issues for sure.

Consequently, companies need to think of cyber threats and risk

as an evolving matter, otherwise the biggest cyber threat would be

unpreparedness. In Spain, there have not been any well publicised,

high profile attacks, though the Ministry of Industry indicated that

our country is the third most attacked after the US and the UK. It is

common knowledge, however, that Spanish banks and Spanish energy

companies were counted among the victims targeted by the Carbanak

and Dragonfly operations, but the consequences of those attacks remain

unknown.

GÓMEZ: Generally speaking, companies are becoming more conscious

of cyber threats. This should not only translate into increased investment

in cyber security, it should also help to establish other actions for

prevention and loss mitigation. However, there are huge differences

among companies, sectors of activity and segment. Although the boards

of many large corporations are now becoming aware of these threats, in

our opinion awareness is mainly among CISOs and IT staff, so we believe

there is still a lot to do in this respect. Additionally, companies and boards

continue to consider cyber risk as an IT issue, not as a real business issue

that could impact P&L, reputation and competitiveness, so there is still

need for increased perception and proper C-suite involvement.



ARE PLACING ENOUGH

IMPORTANCE ON CYBER

SECURITY? ARE BOARD

MEMBERS TAKING A

PROACTIVE, HANDS-ON







PRIVACY REGULATIONS

CHANGED IN SPAIN? HOW


AFFECTING THE WAY



SPAIN • CLAUDIA GÓMEZ • AON RISK SOLUTIONS

GÓMEZ: In terms of data privacy, Spain is in a similar situation to the

rest of the European Union, as it awaits the new EU data protection

regulation. Spain is considered to have one of the toughest data

protection regulations in the world, but forthcoming changes will

make them even tougher. Probably due to the long delay in finalising

and implementing the EU regulation, companies are not getting

themselves prepared for the changes ahead. With respect to cyber

security preparedness, Spain started to take action one step behind

other countries, mainly as a consequence of the economic crisis that

put the national focus, and budget, on other issues and projects. In 2013

the government implemented the National Cyber Security Strategy,

which included the creation of the National Cybersecurity Council

which adopted the creation of a national cyber security plan aimed at

boosting the security and resilience of IT systems of Spanish companies

in general, but critical infrastructure in particular, as well as to enhance

capabilities against cyber terrorism and cyber crime. Some sectors,

namely financial institutions and the energy industry, are well ahead of

the curve in this particular respect.

GÓMEZ: As with any risk, the first thing companies should do is identify

the threats and their potential impact, and try to value them. This is

a difficult task as it requires valuing intangible assets, and IT assets

may have a different value depending on the company in question and

the timing. Such valuation is crucial to understand how the business

might be impacted if such information or technology is lost. Only after

such an exercise will companies be able to establish the appropriate

actions required to avoid or mitigate cyber risk. To us, one of the most

crucial actions is education throughout the whole company. Employees,

board members, commercial areas – everybody needs to be focused in

protecting the assets of the company. Another crucial action is crisis


WHAT STEPS SHOULD

COMPANIES TAKE TO



EXTERNAL SOURCES SUCH

AS HACKERS OR INTERNAL

SOURCES SUCH AS ROGUE

EMPLOYEES? WHAT KEY

QUESTIONS ...




Q HOW SHOULD FIRMS







LOSS?

response. If your company is not prepared when a breach happens, the

loss will be bigger and recovery probably slower.

GÓMEZ: Companies may need to demonstrate to regulators that they did

things properly, but most importantly, they need to convince their clients,

business partners and shareholders. We have seen in recent high profile

breaches phrases such as “We take our customers’ data and security very

seriously” but these words need to be properly supported; otherwise,

such statements will clearly have real consequences in terms of lost

clients, business and reputation. Companies must be able to demonstrate

that they did things correctly if they carry out a real risk management

process, which includes activities such as risk analysis and quantification,

investment in security, procedures and education, and mitigating actions

which may include risk transfer and a proper crisis plan.

GÓMEZ: Insurance is an element of risk mitigation, enabling companies to

recover the financial impact that a cyber event can have on a company. From

the huge amount of costs involved – including response costs to affected

parties, notification, forensics, and so on, to liabilities and the recovery of

loss of profits resulting from an event. However, and despite the fact that

insurance policies may seem fairly similar, there are differences between

insurers and the extent of cover on offer, so policies should be adapted

to each particular case. There are peculiarities on which certain type of

risk may need to focus, such as industrial and critical infrastructure, and

insurance needs to be adapted to provide proper coverage. Some policies

may include additional valuable services, such as consulting services or

guidance in claims and events, which may complement the company’s

own internal capabilities. We consider that proper risk management,

which includes effective risk transfer programmes to mitigate P&L impact,

will certainly have a positive influence on the supervisory duties of D&Os,

who will be able to demonstrate that they care about the company, its

shareholders and customers.













WHEN REVIEWING AND

REINFORCING THEIR




Q WHAT ARE YOUR



IN SPAIN OVER THE COMING

YEARS?

GÓMEZ: We believe cyber crime will be a feature until companies

realise the importance of fighting against certain behaviour, and help

enforcement authorities in the struggle. Crime and fraud will never

disappear but companies should not be afraid of recognising it is real

and thus facing it. We also believe cyber terrorism is a real threat to

Spanish companies and public entities as we are one of the main targets

of certain radical groups. While some industries have a high degree of

awareness, all companies should continue to invest in education at

every level. With respect to data security, we hope companies are able

to prepare in advance for the forthcoming regulation; failure to do so

will see them exposed to public opinion and suffering the consequences

of becoming part of the ‘data breach wall of shame’.

Claudia Gómez

Director

Aon Risk Solutions

+34 91 340 5645

[email protected]

Claudia Gómez is director of the Financial Lines Specialty for Aon in Spain. She heads the Cyber Risk Practice as well as the Financial Institutions Specialty. The Financial Lines Specialty in Spain handles management liability, professional liability, employment practices liability, initial public offering liability, crime and privacy & security liability for both commercial and financial institutions, including either SMEs and big corporation and listed companies. Prior to joining Aon, Ms Gomez was Assistant Vice President in the financial lines department of another main insurance broking company.


“ Some policies may include additional valuable services, such as consulting services or guidance in claims and events, which may complement the company’s own internal capabilities.”




GERMANY

Q IN YOUR OPINION,

WHAT ARE THE MAJOR





HIGH PROFILE CYBER

ATTACKS IN GERMANY?

JOHANNES BEHRENDSAON RISK SOLUTIONS

BEHRENDS: The threats to which today’s companies are vulnerable

depend on the industry sector the company in question operates in.

However, there is one common threat that a lot of companies are facing:

business interruption caused by a hacker attack. In 2014, hackers struck

a steel mill in Germany. They did so by manipulating and disrupting

control systems to such a degree that a blast furnace could not be

properly shut down, resulting in physical damage. The case shows that

hackers are not just interested in stealing sensitive data; they are willing

to do damage to manufacturing plants. This development is a growing

concern. We expect these kinds of attacks to happen more often.

BEHRENDS: Big companies are very concerned about cyber risks

and they are initiating countermeasures. These firms also buy cyber

insurance. However, many small and medium-sized enterprises still

believe that they are not likely to be targeted by hackers. Furthermore,

they underestimate the probable maximum loss which a data breach

or an attack could cause them. There is still a lack of knowledge and

understanding – and considerable room for improvement.



ARE PLACING ENOUGH

IMPORTANCE ON CYBER

SECURITY? ARE BOARD

MEMBERS TAKING A

PROACTIVE, HANDS-ON





Q TO WHAT EXTENT

HAVE CYBER SECURITY

AND DATA PRIVACY

REGULATIONS CHANGED IN

GERMANY? HOW ARE THESE

DEVELOPMENTS AFFECTING

THE WAY COMPANIES

MANAGE AND MAINTAIN

COMPLIANCE?

GERMANY • JOHANNES BEHRENDS • AON RISK SOLUTIONS

BEHRENDS: The upcoming EU General Data Protection Regulation

and the German IT-Security Act will be extremely important for

German companies. Both regulations contain obligations to notify

authorities in certain cases. The IT-Security Act will mainly apply to

critical infrastructure and include not only the obligation to notify

data breaches, but also every major IT security incident. In addition,

managers of critical infrastructure will be obliged to maintain a certain

level of IT security. These upcoming regulations are gradually changing

companies’ views on cyber risks. They know that they will have to act.

While some of them already fulfil the requirements, others are waiting

for the ratified versions of the new regulations to see which measures

will be mandatory.

BEHRENDS: In order to avoid cyber breaches, companies need to know

their risks. The first step companies should take is to identify those

risks. Then they need to ask themselves: What will be the financial

impact, if scenario A, B or C occurs? For example, many companies are

not able to quantify their losses in the event of business interruption.

But only if questions like this have been answered will companies be

able to prepare for breaches or attacks. Companies need to raise the

awareness of employees and establish contingency plans. They should

also check procedures for granting access rights to employees, service

staff and guests.


WHAT STEPS SHOULD

COMPANIES TAKE TO



EXTERNAL SOURCES

SUCH AS HACKERS OR


AS ROGUE EMPLOYEES?

WHAT KEY QUESTIONS


WHEN REVIEWING AND

REINFORCING THEIR



Q HOW SHOULD FIRMS







LOSS?



BEHRENDS: If a company has not established its own crisis management

team, it will have to procure external help immediately. Usually, even

the best IT departments are not prepared for professional cyber attacks.

They need specialised IT consultants who are experienced in handling a

crisis and conducting IT forensics. If personally identifiable information is

affected, public authorities must be informed – otherwise, considerable

penalties may follow.

BEHRENDS: For small and medium-sized enterprises in particular,

cyber insurance offers much more than just the reimbursement of

financial losses. Most of these companies are not able to handle a crisis

caused by a cyber breach or data loss. Who do we have to inform?

How could the hackers enter our systems? How do we respond to

press inquiries? Companies need IT specialists, legal and PR advice in

order to react promptly and correctly. Insurance will pay for the costs

of these consultants but they provide for much more – for example, the

specialists needed in case of a loss. In addition, some German insurers

offer risk workshops to demonstrate to companies their cyber risks, and

to help them to initiate procedures to mitigate those risks.











GERMANY • JOHANNES BEHRENDS • AON RISK SOLUTIONS

“ Decision makers must understand that their company’s information assets are as valuable as the company’s material assets.”



Q WHAT ARE YOUR



IN GERMANY OVER THE

COMING YEARS?

BEHRENDS: We assume that cyber crime and related damages will

increase. Germany is one of the strongest economic regions in the world

and it would be naive to believe that our companies are not interesting

targets for hackers. Nowadays, hacker services can be bought on the

darknet for only a few euros. On the internet, instructions on how to

create Trojans are available for free. Never before has it been so easy to

spy on companies, steal sensitive data or shut down important systems.

This development will be accelerated by ever increasing digitalisation.

Therefore, decision makers must understand that their company’s

information assets are as valuable as the company’s material assets.

Consequently, there is no reason to handle them differently.

Johannes Behrends

Broker Financial Lines

Aon Risk Solutions

+49 208 7006 2250

[email protected]

Johannes Behrends studied law in Tuebingen and Hamburg. After his bar exam he worked as a lawyer, focusing mainly on internet law, entertainment law and intellectual property rights. Mr Behrends has worked for Aon Risk Solutions since 2009. He is a member of the Professional Services Group which is responsible for Cyber Risks and Professional Indemnity in particular for law firms, management consultants, financial services and publishing groups.

GERMANY • JOHANNES BEHRENDS •Aon Risk Solutions




NETHERLANDS

Q IN YOUR OPINION,

WHAT ARE THE MAJOR



VULNERABLE? COULD

YOU COMMENT ON ANY

RECENT, HIGH PROFILE

CYBER ATTACKS IN THE

NETHERLANDS?

MATTHIJS GEERTSAON RISK SOLUTIONS

GEERTS: Cyber threats manifest themselves in various forms. Companies

can be confronted with system failure, denial of service (DDos) attacks

or the disclosure or loss of confidential and personally identifiable

information. The most strategic, and in our opinion damaging effect

of a cyber threat, particularly when the issue is not addressed properly,

is the danger posed to a company’s reputation, financial position and

ability to realise its short and long term objectives. An integrated cyber

strategy, supported at boardroom level, is fundamental in protecting all

stakeholder interests. Companies are continuously under attack. DDos

attacks, as well as accidental or intentional security breaches, have

recently paralysed various industries. The so-called Carbanak attackers

recently committed the biggest digital bank robbery in history. The

threat posed from cyber crime is very real, and no industry is safe.

GEERTS: Luckily, most organisations acknowledge that they are exposed

to cyber threats one way or another; however, the level of response

to the exposure differs enormously. We believe that many companies

are struggling to determine an effective means of addressing this

evolving theme and how to assess their specific cyber risk exposure.

Solely investing in IT security without giving consideration to the

overall exposure is not sufficient. Various departments and disciplines

within any one organisation deal with cyber risks. They all assess the

risk within their own framework. Due to this multi-disciplinary context

it is key to bring all stakeholders to the table, qualify and quantify the

overall exposure, and subsequently manage the cyber exposure in an

integral manner.



ARE PLACING ENOUGH

IMPORTANCE ON CYBER

SECURITY? ARE BOARD

MEMBERS TAKING A

PROACTIVE, HANDS-ON







PRIVACY REGULATIONS

CHANGED IN THE

NETHERLANDS? HOW ARE

THESE DEVELOPMENTS

AFFECTING THE WAY



NETHERLANDS • MATTHIJS GEERTS • AON RISK SOLUTIONS

GEERTS: A number of major developments have taken place in recent

years. Until recently, only a few industries, such as the telecoms

sector, were regulated in this respect. However, we are now on the

verge of a new regulatory era which will affect all types of businesses.

On a local Dutch and EU level, strict regulations have been drafted

and implemented on how to ensure the protection of data privacy

and regulate what to do in the unfortunate event of a breach. Newly

adopted Dutch legislation regulates the option to impose fines up to

€810,000 or even 10 percent of the company’s revenue, in the event

of a serious violation. The Dutch Personal Data Protection Commission

will now be detailing this legislation.

GEERTS: Firstly, experience shows that it is impossible to fully prevent

any cyber breach from occurring. There is only so much an organisation

can do to protect against the potential risk. However, organisations

should acknowledge they are exposed, invest in up-to-date IT systems

and make sure a rapid detection system is in place in order to make a

quick and adequate response possible. Furthermore, organisations also

need to address the ‘softer elements’. Cyber defence is about much

more than just technique. Organisations need to create a culture to

become more robust and agile. Cyber risk awareness should be part of

a company’s DNA.


WHAT STEPS SHOULD

COMPANIES TAKE TO



EXTERNAL SOURCES

SUCH AS HACKERS OR


AS ROGUE EMPLOYEES?

WHAT KEY QUESTIONS


WHEN REVIEWING AND

REINFORCING THEIR



Q HOW SHOULD FIRMS







LOSS?



GEERTS: Effective response starts with good preparation. It is proven

that companies which have a crisis response plan in place act better

when a crisis actually occurs. We believe it is key to be prepared. Know

what to do, who to call and what is legally required. Why have business

continuity plans in place for a fire, but not for a cyber event? The doom

scenario for a company would be to have to admit that they had no

suitable controls and procedures in place for an imminent risk such

as cyber. Unpreparedness opens the door to D&O claims, and actual

resignations of D&Os have already occurred as a result.

GEERTS: The advantages of a risk transfer via an insurance solution are

multiple. First and foremost, the insurance can offer P&L protection

for the financial consequences of a cyber event. The overall costs of

an event should not be underestimated. Furthermore, the policy can

provide immediate access to service providers like forensic investigators

and IT specialists. This can be of significant importance, particularly for

those companies that do not have those resources in-house. There is

wide range of products available. Since it is a fairly new insurable risk,

lots of development still needs to take place. In any case it is important

for a company, likely in collaboration with its broker, to tailor a policy

that actually fits the company’s risk profile and tolerance.














Q WHAT ARE YOUR



IN THE NETHERLANDS OVER

THE COMING YEARS?

GEERTS: The transformation from historical tangible products and

manual labour services to reliance on technology and information

assets is obvious. Cloud computing, mobile devices, social media, ‘big

data’ analytics and the explosion of the ‘Internet of Things’ prove this.

The risk exposure and risk profiles of companies change as a result of this

evolution. Furthermore, regulators react and the legislation becomes

more stringent. It is important that risk and insurance management

adapt to these changes as well. We should not be afraid of this kind of

innovation and progress; we should embrace it, as it will bring us great

opportunities as long as we adapt to this new reality.

Matthijs Geerts

Senior Insurance Broker

Aon Risk Solutions

+31 (0)10 448 72 14

[email protected]

Matthijs Geerts LL.M is senior broker with the Financial Institutions team within Aon Risk Solutions in the Netherlands. Besides specialising in, amongst others, directors and officers insurance, professional indemnity insurance and crime insurance, he is the product champion for the Dutch Financial Institution department with respect to cyber risk and insurance management. Mr Geerts joined Aon in 2007 after obtaining his law degree from Leiden University, Netherlands.


“ Unpreparedness opens the door to D&O claims, and actual resignations of D&Os have already occurred as a result.”




SCANDINAVIA

Q IN YOUR OPINION,

WHAT ARE THE MAJOR





HIGH PROFILE CYBER

ATTACKS IN SCANDINAVIA?

KRISTOFFER HALEENWILLIS AB

HALEEN: It is fair to say that all companies face cyber threats, but

the nature of the threats vary greatly depending upon the company’s

business and level of maturity. One threat that most companies have

in common is that of stolen or leaked intellectual property. In the

Nordics, we are also seeing that quite a few of our large manufacturers

are finding themselves vulnerable to attackers who are targeting their

networks. The purpose behind these attacks can be hard to establish,

but it seems that many attackers are increasingly gaining access to

operational systems, which may be an indicator of espionage, but also

that the attackers are preparing to damage production, which can have

very serious consequences.

HALEEN: Boards have a difficult task of managing resources and

attention to various areas. Risk management is just one of the areas

which requires attention, and cyber risks are part of the risk management

function as a whole. Cyber is not simply a matter of new risks that can

be reduced to a matter of IT security, but also an amplifier of classical

risks. The awareness of cyber related risks is certainly growing, although

the actions taken by boards vary greatly. It is clear to me that we as

a society need to devote more time and effort to cyber risks, and we

need to do so now.



ARE PLACING ENOUGH

IMPORTANCE ON CYBER

SECURITY? ARE BOARD

MEMBERS TAKING A

PROACTIVE, HANDS-ON







PRIVACY REGULATIONS

CHANGED IN SCANDINAVIA?

HOW ARE THESE


THE WAY COMPANIES

MANAGE AND MAINTAIN

COMPLIANCE?

SCANDINAVIA • KRISTOFFER HALEEN • WILLIS AB

HALEEN: The Nordic countries are, by and large, awaiting the

implementation of the General Data Protection Regulation (GDPR),

although some additional legislation has been implemented on a local

level. Earlier this year, Finland introduced some new privacy legislation,

which can be seen as proof the Nordic governments are taking these

matters very seriously. However, we are already seeing a number of

sophisticated companies beginning to implement processes and

policies in line with the discussions around the GDPR, which is very

encouraging. In particular, companies are starting to realise that the

privacy by design requirement is something that they need to adhere

to, whether or not they are forced by legislation.

HALEEN: Unfortunately, there are no silver bullets. No single control or

measure will have the same effect for every organisation, but will vary

depending on the nature and criticality of the information, as well as

the network structure. There are of course some measures that should

be regarded as best practice or even minimum standard when it comes

to information security. These include the encryption of all information

in transit and at rest, and a proactive approach to patch management.

Different monitoring measures can also be implemented fairly easily.

Furthermore, organisations need to implement policies and procedures

around scenarios – what happens if our systems fail? All organisations

need to have an idea of what a bad day looks like.


WHAT STEPS SHOULD

COMPANIES TAKE TO



EXTERNAL SOURCES

SUCH AS HACKERS OR


AS ROGUE EMPLOYEES?

WHAT KEY QUESTIONS


WHEN REVIEWING AND

REINFORCING THEIR





HALEEN: Organisations should always strive to own the stage when it

comes to breaches, which requires a number of things. First, make sure

that you learn the cause and extent of the incident – what has really

happened? Don’t hesitate to engage outside expertise, as the cost for

this is likely to be significantly lower than the cost of not knowing.

Second, if it concerns a privacy breach, expect public knowledge at some

point, and make sure that you are the one to tell your customers what

has really happened. A breach is not necessarily bad for your reputation,

but poor response surely is. If it is an intrusion of an operational system,

make sure that you close down the entry point. No one would leave a

door unlocked after a burglary; the same should go for a cyber breach.

HALEEN: For most companies, a cyber insurance policy will mitigate

much of the exposure, but there are some exposures, such as IP

leakages, that simply don’t have an effective insurance solution today.

Companies need to review the suggested policy against the exposures

their company faces, as the cover will operate in very different ways.

Insurers should make an effort to provide coverage in a clearer way

than what is the case today; most policies have ambiguities that no

one, least of all clients, can understand. To some degree, insurers are

not always clear on what they are covering, and certainly not on what

they want to cover. We see plenty of policies that don’t walk the talk.

Cyber insurance is also a lot about the quality of the response, not just

the cover in the wording.












Q HOW SHOULD FIRMS







LOSS?

“ It will take a few years for us to get there, and those years will be costly, but organisations will eventually adapt.”



Q WHAT ARE YOUR



IN SCANDINAVIA OVER THE

COMING YEARS?

HALEEN: There is very little to suggest that cyber crime will decrease

any time soon. It is just too easy and profitable as an industry, and

because most organisations are still struggling to get a grip on their

exposures, we will not win this battle in the near future. The political

changes of the world have an impact as well. The good news is that

organisations are waking up to this, and are changing the way they

operate accordingly. Data security will be a natural part of every

organisation’s risk management efforts. It will take a few years for

us to get there, and those years will be costly, but organisations will

eventually adapt.

Kristoffer Haleen

Client Advocate, Risk Solutions

Willis AB

+46 8 5463 5965

[email protected]

Kristoffer Haleen is a Client Advocate and Cyber Practice Leader with Willis AB. Advising clients on cyber related risks, he has helped both clients and insurers to find risk transfer solutions to difficult exposures. Using a holistic approach to cyber risks, Mr Haleen has been driving the development of cyber insurance and connecting insurance with risk management in Scandinavia. Prior to joining Willis, Mr Haleen worked as an underwriter on technology related risks at a major global insurer. He holds a LLM degree from Uppsala University.





AUSTRALIA

Q IN YOUR OPINION,

WHAT ARE THE MAJOR





HIGH PROFILE CYBER

ATTACKS IN AUSTRALIA?

EMMA OSGOODAIG AUSTRALIA

OSGOOD: One of the biggest problems for companies today is that

cyber threats are constantly evolving. For example, with a minor

code adjustment hackers can create a new variant of malware that a

company’s protection system may not be able to recognise. In fact, a

recent study identified 143 million new malware samples from 2014

alone and there are an estimated 12 million new variants every month,

placing an inordinate level of pressure on IT security professionals. One

particular variety of malware, commonly referred to as ‘crytolocker’, can

have devastating effects. Crytolocker is a type of ransomware which is

typically spread through malicious attachments or links within emails

under the guise of something genuine. Once it corrupts a computer, it

begins encrypting files. The perpetrator will only release the decryption

key when a ransom payment is made. While anti-virus software and

firewalls provide a degree of protection for organisations, they cannot

prevent employees opening links in emails in good faith.

OSGOOD: While cyber security is on the agenda of many Australian

boards, directors are still struggling to come to grips with how to handle

the issues created by an attack and generally gauge their cyber security

risk. One of the most common discussions is around who has ownership

of monitoring cyber security – the IT department or risk management

and compliance teams? Our experience in these discussions shows that

IT departments are capable of addressing issues surrounding hardware

and software security. However, many cyber security issues arise from

employee or vendor management. We have seen a number of high

profile data breaches over the past 24 months arising from IT security

permissions granted to third party vendors. The most high profile cyber

breaches globally in recent times have affected Target and JP Morgan.



ARE PLACING ENOUGH

IMPORTANCE ON CYBER

SECURITY? ARE BOARD

MEMBERS TAKING A

PROACTIVE, HANDS-ON





Q TO WHAT EXTENT

HAVE CYBER SECURITY

AND DATA PRIVACY

REGULATIONS CHANGED IN

AUSTRALIA? HOW ARE THESE


THE WAY COMPANIES

MANAGE AND MAINTAIN

COMPLIANCE?

AUSTRALIA • EMMA OSGOOD • AIG AUSTRALIA

Companies need to look closely at the agreements they have in place

with vendors and undertake a thorough due diligence of their control

environment. Overall, there is still a great deal of work to be done

by Australian directors, but they are not alone. The Public Company

Governance Survey NACD 2013-2014 showed that 87 percent of

respondents, globally, reported that their board’s understanding of IT

risk needed to improve.

OSGOOD: The long awaited changes to Australian Privacy legislation

commenced on 12 March 2014. The legislation introduced 13 Australian

Privacy Principles to replace the former National Privacy Principles

and Information Privacy Principles. For many companies, this was the

catalyst to take stock of their compliance and overhaul their data

protection policies. ‘Readiness’ became a buzz word which no doubt

received greater focus given the threat of significant fines from the

privacy commissioner of up to AUD$1.3m for serious or repeat offenders.

While the legislation was important, many were surprised that it did

not go as far as requiring mandatory reporting by those affected by a

data breach. Mandatory reporting will be a key milestone for Australia

– we know that companies are currently experiencing data breaches

but are not reporting them as there is no requirement to do so. ASIC

has started to be increasingly vocal about cyber risk, and has recently

released a report providing guidance to companies on managing cyber

risk. The report outlines their expectation that companies address cyber

risk as part of their legal and regulatory obligations and encourages

all companies to perform a ‘health check’ to assess their resilience to

potential breaches. The report is another key indicator that cyber risk is

firmly on the regulatory radar.




OSGOOD: First, companies need to scan their environment to identify

the variety of exposures that they may face. These exposures need to

be considered within the context of what they have in place already

to determine whether that is sufficient. In addition, companies should

ask their management teams a number of questions. Are they investing

enough dollars into IT security? Are they promoting a culture of IT

security awareness and vigilance among staff? While there may be a

focus on prevention, do they have an incident response plan in place to

address network security related issues? Is this plan tested?

OSGOOD: The Office of the Australian Information Commissioner set

out a four step process on how to respond to a data breach. The first step

is breach containment and preliminary assessment. The second step is

evaluation of the risks associated with the breach. Third is notification to

affected individuals, if this is appropriate. And the final step is prevention

of future breaches. Often, the media can focus on data breaches within

the context of ‘what not to do’. However, there are some examples of

how a timely, well-executed breach response plan can mitigate the

fallout. While the number of customer account holders compromised

during the Home Depot data breach was larger than Target, some have

observed that Home Depot was able to weather the storm better by

implementing a clear and concise communication strategy.

OSGOOD: The Ponemon Institute determined that data breach or

cyber insurance policies are becoming an increasingly important

part of a company’s preparedness plans. In 2013, only 10 percent of

respondents said their company purchased a policy. But by 2014 the

percentage more than doubled to 26 percent. A number of insurers

have been providing cyber risk solutions for many years and in doing






Q HOW SHOULD FIRMS







LOSS?

Q IN YOUR EXPERIENCE, WHAT

STEPS SHOULD COMPANIES

TAKE TO AVOID POTENTIAL

CYBER BREACHES – EITHER

FROM EXTERNAL SOURCES

SUCH AS HACKERS OR

INTERNAL SOURCES SUCH AS

ROGUE EMPLOYEES? WHAT

KEY QUESTIONS SHOULD THEY

BE ASKING WHEN REVIEWING

AND REINFORCING THEIR





Q WHAT ARE YOUR



IN AUSTRALIA OVER THE

COMING YEARS?

Emma Osgood

Commercial Practice Leader, Financial Lines

AIG Australia

T: +61 2 9240 1736

E: [email protected]

so have accumulated valuable knowledge and resources that they

can share with their clients – often before they are the victim of a

cyber breach. Insurers are all too familiar with complex cross-border

legislation governing data and should be able to provide immediate

access to a specialist breach response team to help their policyholders.

A cyber liability policy should be used as an adjunct to a robust risk

management framework and can provide access to valuable resources.

OSGOOD: Our reliance upon electronic data and technology is only

going to increase in the coming years. Businesses will need to turn

their minds to how to effectively operate within the threat landscape.

With more insurers now offering proactive risk management tools as

part of their offerings, I think we will continue to see an uptick in policy

purchase.

Emma Osgood is the National Cyber Liability Manager for AIG Australia and is responsible for the management, development and delivery of AIG’s Cyber Liability product. She has worked at AIG for more than 11 years and managed the Professional Liability portfolio for the UK branch offices before joining AIG in Sydney in 2012. Prior to AIG, Ms Osgood spent five years broking at Alexander Forbes, Alfred Blackmore and Heath Lambert in the UK. Ms Osgood holds a BA (Hons) from Exeter University.







“ With more insurers now offering proactive risk management tools as part of their offerings, I think we will continue to see an uptick in policy purchase.”




SOUTH AFRICA

Q IN YOUR OPINION,

WHAT ARE THE MAJOR





HIGH PROFILE CYBER

ATTACKS IN SOUTH AFRICA?

KENNETH VAN SWEEDENAUTO & GENERAL

VAN SWEEDEN: South Africa faces the same cyber threats as the rest of

the world, challenges such as spoof websites, phishing, illegal access and

hacking of cell phones and social media footprints left by users. South

Africa was ranked the sixth most active country for cyber crime by the

FBI recently – a result which is alarming for a country whose internet

penetration is around 14 percent. Several high profile cyber attacks

have already occurred in the country, including incidents involving

both financial and governmental institutions, as well as political party

websites.

VAN SWEEDEN: Based on discussions we’ve had with some of our

clients, it would appear that cyber risk and data security is being debated

far more regularly at board meetings. However, according to the results

of the ‘IT Web Brainstorm Chief Information Officer Survey’, published in

October 2014, “agility and speed of execution, budget, and lack of skills”

are the operational concerns of South African CIOs. The survey showed

that South African companies spend about one-third of their IT budgets

on infrastructure, bandwidth and security. How much of this allocation

is on security itself is hard to say, but it indicates that although the

awareness of the threat to business is increasing, spending on security

is seemingly not increasing at the same pace. With this in mind, there is

still a lot more that companies and their boards should be doing in order

to address this issue.

VAN SWEEDEN: In South Africa, the Protection of Personal

Information Act (POPI) was signed into law in November 2013,

however a commencement date has not yet been announced. Once a

commencement date is announced, companies will only have a year to

comply with the requirements of the Act. POPI brings South Africa in line



ARE PLACING ENOUGH

IMPORTANCE ON CYBER

SECURITY? ARE BOARD

MEMBERS TAKING A

PROACTIVE, HANDS-ON





PRIVACY REGULATIONS

CHANGED IN SOUTH



AFRICA? HOW ARE THESE


THE WAY COMPANIES

MANAGE AND MAINTAIN

COMPLIANCE?

SOUTH AFRICA • KENNETH VAN SWEEDEN • AUTO & GENERAL

with international data protection laws and it reinforces South African

citizens’ constitutional right to privacy. The Act is an all-inclusive piece of

legislation that seeks to safeguard the integrity and sensitivity of private

information. In response, all entities operating in sectors that necessitate

them to handle personal particulars are required to carefully manage the

data capture and storage of personal information. Affected businesses

should determine what information is truly essential for collection and

processing in their businesses, and then inform customers, stakeholders

and employees why this is required to ensure that proper standards

protecting privacy are in place. Implementing a loss prevention strategy

and adopting best practice standards should be the minimum a company

does in this regard.

VAN SWEEDEN: Even if a company is very security conscious, and has

done an excellent job protecting its computer system, a hacker – either

internal or external – who is competent enough, determined enough and

patient enough is nearly impossible to keep out. If someone steals your

product designs, your customer list, your new marketing plans, your R&D

data, and so on, it would be a blow that could have serious consequences

for your business. Therefore, company decision makers must decide on

the data that is critical to their company’s survival and focus on securing

that data. IT experts know all too well that the perimeter defence strategy

does not work. Critical data can be classified as data that is necessary

to comply with legal or regulatory requirements to protect specific data,

such as credit details and identity numbers or data that is essential to

the company’s ability to win in the marketplace, such as product designs

and customer lists. There are a number of questions that should be asked

by companies when identifying what data to protect, including: What

data would harm the company the most if it fell into the wrong hands?

What information gives the company its competitive advantage in the


WHAT STEPS SHOULD

COMPANIES TAKE TO



EXTERNAL SOURCES

SUCH AS HACKERS OR


AS ROGUE EMPLOYEES?

WHAT KEY QUESTIONS


WHEN REVIEWING AND

REINFORCING THEIR





market? What data would someone want to steal? What knowledge

makes the company better than its competition? Where is the company

investing in research and development?

VAN SWEEDEN: Good data breach response plans should be prepared

as part of the company’s overall disaster recovery plan. It will ensure

that the company is well prepared to deal with a cyber breach and

should include a number of steps to be taken in the event of a cyber

breach. First, efforts should be made to gather the facts. Establish what

the scope of the breach is and decide what facts should be disclosed

to prevent harm to consumers and other affected parties. Second,

appoint a response team. A predetermined chain of command allows

for rapid response and informed decisions in a pressure situation while

balancing the needs of the different stakeholders. Third, communicate

the breach with the utmost sensitivity and attention. Accurately record

your actions so that you can prove that you did everything in your power

to prevent the breach, respond appropriately and mitigate risk to the

customer. Finally, it is vital to act immediately. Companies should not

wait to create a response plan. Budget for it and invest in data breach

protections and procedures, while making data privacy best practices a

part of the company’s culture.

VAN SWEEDEN: A company should transfer risk only after it has

implemented all that it can to minimise and manage the cyber risks

it faces. Most providers of cyber insurance products have the ability to

offer a combination of pre and post loss assistance to the company.

The pre-loss services would include services such as consulting to the

company by giving assistance and recommendations with regard to risk

assessment, risk control and response strategies. Post loss services would

include services such as assistance in dealing with third party vendors,

and identifying the applicable laws and contractual obligations the

company must comply with. Legal defence services in defending third

party claims and assistance with formal investigations.











Q HOW SHOULD FIRMS







LOSS?


“ A company should transfer risk only after it has implemented all that it can to minimise and manage the cyber risks it faces.”



VAN SWEEDEN: The advancement in technology is almost breathtaking

at times. This obviously means that cyber criminals have constantly

evolving technology at their disposal to exploit to their advantage. Cyber

crime and cyber terrorism is the new frontier. The need for a concerted

effort to address this threat at all levels within society is more important

than ever before. In his address at the first South African Cyber Security

Symposium held in South Africa on the 1 March 2015, the Minister of State

Security spoke about the need for improved collaboration between public,

private and international stakeholders regarding cyber security in South

Africa. In March 2012, the government approved a National Cybersecurity

Framework, but this is still in the early stages of implementation. While

it is encouraging that the issue is receiving attention at the highest level

within government and industry, the sheer speed of evolution means

that all those involved in cyber security will be hard pressed to keep

abreast with developments. Unfortunately, it seems that we will remain

vulnerable to cyber attacks for the foreseeable future.

Kenneth van Sweeden

Business Manager

Auto & General

+27 79 879 1735

[email protected]

Kenneth van Sweeden has been underwriting and developing liability products in the domestic insurance market for 30 years, the last 18 of which specialising in Directors and Officers Liability after launching the first D&O product sold in South Africa. He is responsible for the underwriting and development of Auto & General’s Professional Liability suite of products such as the Errors & Omissions (Professional Indemnity) product. Mr van Sweeden is an associate of the Insurance Institute of South Africa and a member of the Institute of Directors of Southern Africa and the Professional Liability Underwriters Society in the US.


Q WHAT ARE YOUR



IN SOUTH AFRICA OVER THE

COMING YEARS?




ISRAEL

Q IN YOUR OPINION,

WHAT ARE THE MAJOR





HIGH PROFILE CYBER

ATTACKS IN ISRAEL?

SHARON SHAHAMAIG ISRAEL INSURANCE COMPANY LIMITED

SHAHAM: In the past, cyber breaches used to be sporadic and less

organised, conducted mainly by individuals, usually for personal gain.

Today, companies are exposed to cyber breaches by well organised

and funded groups. Although some attacks may still be for personal

financial gain, today the incentive for many attacks is often either

ideological or political, with the major intent of causing financial harm

to the attacked entity and jeopardising its business continuity. In Israel,

organisations such as Anonymous organise planned ‘attack days’ several

times a year, mainly against Israeli targets, thus far with no significant

published results. During specific times of activity there seems to be an

increase in cyber breach efforts in commercial or public organisations

identified with Israel. Beyond such organised attacks, one of the most

talked about events was an attempted extortion by an ex-employee of

a credit card company owned by one of the major banks in Israel, which

was unsuccessful.

SHAHAM: Companies in Israel place a great deal of importance on cyber

security. Israel is a hi-tech nation with access to the most innovative

security and cyber solutions. As the tech-community in Israel is very well

developed, local enterprises have easy access to the best knowledge and

solutions in the country, as well as from the international community.

Therefore, most of the investment and focus of companies remains

with these IT solutions. However, most of these solutions emphasise

prevention. Many experts agree today that the question regarding a

cyber breach is not ‘if’, but rather a question of ‘when’. A recent survey

conducted by an Israeli economic magazine, which was designed

to examine the level of disclosure of cyber preparedness within the

financial statements of the leading 100 public companies in Israel,

indicated that half of those companies surveyed are failing to disclose

any information regarding their readiness towards cyber threats.



ARE PLACING ENOUGH

IMPORTANCE ON CYBER

SECURITY? ARE BOARD

MEMBERS TAKING A

PROACTIVE, HANDS-ON







PRIVACY REGULATIONS

CHANGED IN ISRAEL? HOW


AFFECTING THE WAY



ISRAEL • SHARON SHAHAM • AIG ISRAEL INSURANCE COMPANY LIMITED

Therefore, it is imperative that companies allocate adequate efforts

and resources toward compliance, training, risk management and an

insurance solution to provide financial aid in the event of a breach,

in order to ensure business continuity. Board members are becoming

increasingly proactive in these areas.

SHAHAM: There is no specific cyber regulation in Israel. Rather, there are

various laws that relate to parts of the cyber scope, such as Protection

of Privacy Law, 5741 of 1981 and Freedom of Information Law 5758 of

1998. In addition, in 2006, the Israeli Law, Information and Technology

Authority was established under the Israeli Justice Department. The

purpose of this authority is to strengthen the security of personal

information and to lead the legislative and regulatory changes and

enforcement of violations. The government initiated the Cyber Bureau

to build and advance cyber security in Israel. At present, there is still

no regulatory duty to provide subject notification of a personal data

breach; this is quite the contrast to both the US and several industries

in the EU. Some industries regard the cyber issue as part of their privacy

compliance activities. However, in light of the above, we expect that

the coming years will see the instigation of several legal changes in

keeping with compliance trends in the US and EU.

SHAHAM: It is safe to say that the majority of breaches affecting

organisations originate from current or past employees without intent.

However, a number of breaches are also caused by rogue employees. A

significant reduction in exposure to this risk can be achieved in a number

of ways. First, companies should refine their recruitment techniques,

including more stringent background checks and initial training.

Organisations should also do a better job conveying their privacy and


WHAT STEPS SHOULD

COMPANIES TAKE TO AVOID

POTENTIAL CYBER BREACHES

– EITHER FROM EXTERNAL

SOURCES




conduct policies. Second, companies should focus on those members

of staff they have employed. Organisations should carry out regular

training exercises and updates, and ensure efficient controls of access

authorisations. Finally, organisations should be more vigilant when it

comes to termination. Care must be taken to terminate all possible

access to IT systems or data upon leaving the company. In other areas,

companies should closely monitor third party service providers and

require good standards on privacy controls and access, including within

the terms of contract. Furthermore organisations should establish a

comprehensive Business Continuity Plan specifically for a cyber event,

including the process of returning to the normal course of business.

SHAHAM: A cyber event can pose a considerable threat to organisations

and requires a strategic crisis management process. Even before such an

event takes place, organisations should prepare a response. There should

be a definitive plan which will help the company to map a thorough risk

analysis of all potential exposures, including technical, financial, legal

and public relation stakeholders who should take part during an event.

This will constitute a major part of the business continuity plan. The

immediate decisions and actions taken during the initial stages of the

situation will greatly determine the success of the end result, the size

of the financial damage and the continued exposures of the company.

Accordingly, it is imperative that the company engages with experts in

each field of exposure.

SHAHAM: The insurance policy as a financial model enables a company

to transfer some of the potential risk to a third party: an insurance

company. This portrays the proactive effort of management to reduce

the company’s overall risk. The choice not to do so and take the total

risk upon the company, in itself, might establish cause for a personal

claim against D&Os for subjecting the company to such a loss, should it

happen. In respect of the product itself, cyber insurance started out as a

simple notification cost and third party liability policy. In light of market








Q HOW SHOULD FIRMS







LOSS?

SUCH AS HACKERS OR


AS ROGUE EMPLOYEES?

WHAT KEY QUESTIONS


WHEN REVIEWING AND

REINFORCING THEIR



“ Technology is getting more and more sophisticated and complicated, and so are the abilities of third parties with harmful intent.”



Q WHAT ARE YOUR



IN ISRAEL OVER THE COMING

YEARS?

changes and needs, the recent focus has shifted toward providing pre-

event services, first response and crisis management services, coverage

addressing the reliance on cloud and other third party service provider,

and first party business interruption coverage. The most recent updated

version even enables a company to purchase cover for system failure,

not necessarily due to a security failure.

SHAHAM: We expect to see an increase in the number of attacks

worldwide, and we expect the trends locally to be no different, and

possibly even harsher for Israeli entities. Indeed, Israel will continue to be

one of the most attacked countries in the world. Technology is getting

more and more sophisticated and complicated, and so are the abilities

of third parties with harmful intent. As local regulation advances, this

will expose local companies even more, which will enhance the need

for IT security and related insurance.

Sharon Shaham

VP Commercial Lines

AIG Israel Insurance Company Limited

+972 3 721 8652

[email protected]

Sharon Shaham is the VP of Commercial Lines for AIG Israel Insurance Company Limited. Ms Shaham currently oversees the activities of Financial Lines, Property and Energy and Casualty Product Towers as well as Commercial Distribution. She joined AIG in 2010 as the Commercial Lines Business Development Manager. Previously she managed the Hi-Tech and Special Risks unit for a local insurer and has 15 years market experience. Ms Shaham holds a Masters in Business Administration and an LLM.





FWS U P P L E M E N T

www.fi nancierworldwide.com

A N N U A L R E V I E W

Documents

CYBER SECURITY & RISK MANAGEMENT - Aon · Financier Worldwide canvasses the opinions of leading professionals around the world on the latest trends in cyber security & risk management