U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n

48th Annual ConferenceOrlando, FL September 23-27, 2017

1

Sandy MitchellDirector of InsuranceMassachusetts Institute of Technology

Carmelina BorsellinoVice President, Manager, Cyber Hazards, FM Global

Amy DaleyVice President, Education Practice Leader, FM Global

First Party Cyber:Mitigating the Risk

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

Contrast the results of holistic cyber risk prevention with those of risk transfer alone.

Understand the interplay between first-party property and third-party cyber liability coverage.

Get practical property risk solutions that thwart cyber-related damage to property and increase resiliency.

Learning Objectives

U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n

48th Annual ConferenceOrlando, FL September 23-27, 2017

2

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

3

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

FM Global’s Premium Distribution

Manufacturing

Real Estate

Healthcare/EdPower Generation

Public BuildingsChemical

FoodPulp and PaperPharmaceutical

RetailElectronics

Other (mining, molten materials, public entity, semiconductors and more)

21%

9%

8%

7%

7%

7%

6.92%

6.13%4.58%3.79%3.55%

14%

612 Accounts$436M Premium

U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n

48th Annual ConferenceOrlando, FL September 23-27, 2017

3

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

Higher Education Causes of Loss

$3,824,594

$9,549,260

$16,016,697

$25,434,486

$28,359,174

$37,594,609

$89,492,039

$101,659,121

$169,605,597

$199,575,919

$0 $40,000,000 $80,000,000 $120,000,000 $160,000,000 $200,000,000

Cyber

Pressure Equipment Breakdown

Collapse

Temperature Change

Service Interruption

Electrical/Mechanical Breakdown

Wind and Hail

Fire

Escaped Liquids/Sprinkler Leakage/Water…

Flood/Surface Water

Cyber Pressure Equipment Breakdown

Collapse Temperature Change

Service Interruption Electrical/Mechanical Breakdown

Wind and Hail Fire

Escaped Liquids/Sprinkler Leakage/Water… Flood/Surface Water

5

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

HealthCare, Manufacturing, Retail and Education

WannaCrypt and Petya Attacks

Microsoft vulnerability – Eternal Blue + phishing emails

Ransomware attack – GLOBAL IMPACT!

U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n

48th Annual ConferenceOrlando, FL September 23-27, 2017

4

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

De-Mystifying Cyber Risk

Our Agenda

Learn from the Experience of MIT

Practical, Research-Based

Solutions

1101100010110100111000

010010

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

Practical, Research-Based

Solutions

1101100010110100111000

010010

De-Mystifying Cyber Risk

De-Mystifying Cyber Risk

Learn from the Experience of MIT

U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n

48th Annual ConferenceOrlando, FL September 23-27, 2017

5

June 30, 2016Massachusetts General Hospital data breach affects 4.3K patients

June 8, 2016Calgary university pays ransom in Bitcoin after cyberattack

June 6, 2016Irongate malware that targets industrial control systems uncovered

August 3, 2016Bitcoin Exchange Hacked, Loses $65 Million

May 18, 2016Hacker selling 117 million LinkedIn emails and passwords on dark web

July 8, 2016Omni hotels warns of data breach

June 9, 2016Twitter passwords leaked for millions of accounts

June 20, 2016Greenwich University suffers second data breach this year in ‘revenge hack’

August 18, 2016Eddie Bauer stores hit with credit card breach

June 27, 2016Hard Rock Las Vegas reports card data breach

March 31, 2016Hospitals crippled by cybercriminals: Ruthless MedStar hack demands £12,900 to unlock

October 21, 2016Attack on Dyn affects major websites across the US

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

Cyber Loss Trends

Increased sophistication impacting all types of clients

Cyber attacks can be felt beyond the targeted location

Ransomware remains the most prevalent threat vector

U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n

48th Annual ConferenceOrlando, FL September 23-27, 2017

6

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

FM Global Loss Trends - Education

Top 5 15% Ransomware

A2

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

Ransomware/Cyber Extortion Events

2009 2010 2011 2012 2013 2014 2015 2016

A3

Slide 11

A2 Need an update...focus only on EducationAuthor, 6/16/2017

Slide 12

A3 not relevant for education...hacking is keyAuthor, 6/16/2017

U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n

48th Annual ConferenceOrlando, FL September 23-27, 2017

7

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

Ransomware$25 Million

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

Education Cyber Incidents 2016

itgovernanceusa.com, 2017: Education industry: 1,048,342 records exposed in 2016.

Data breaches increased by 40% over 2015.

Leading cause was hacking/phishing/skimming: 56%.

Employee error/negligence caused 31% of events.

U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n

48th Annual ConferenceOrlando, FL September 23-27, 2017

8

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

Education Top Threat Vectors1. Hacking/Phishing/Skimming/Malware

2. Employee error/negligence

3. Portable devices

4. Stationary devices

5. Physical loss

6. Intentional insider threats

Advisory.com 2016 https://advisory.ey.com/cybersecurity/cyber-threats-higher-education-institutions

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

MIT – 2016 Cyber Attacks

16

Attacks Protection Detection Response

Data Breach Security awareness; Vulnerability scans; Incident analysis (DIRT);

Distributed Denial of Service (DDoS)

Cloud-based DDoS mitigation service

Automated notification from

Akamai

Akamai filters out all of the malicious

traffic (total protection for MITnet)

Compromised Hosts Security awareness; Intrusion detection systems

Identify system owner Quarantine host’s

address if necessary

Malware Anti-malware, Anti-virus Device firewalls;

Security awareness

Alerts from detection systems;

Identify system owner and Quarantine host’s address, if necessary

U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n

48th Annual ConferenceOrlando, FL September 23-27, 2017

9

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

MIT – 2016 Cyber Attacks

17

Attacks Protection Detection Response

Ransomware Security awareness; Anti-malware

Alerts from Provider;Reports from users

Restore from system & data backups

Phishing/Social Engineering

Phishing awareness;Spam filtering;

Two-factor-authentication (Duo)

Semi-automated review of activity;

Reports from users

Quarantine IP address;

Identify victims through logs;

Suspend accounts

Website Defacements Vulnerability scanning

Reports from Provider & users

Identify system owner and notify

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

Cyber risk is more than an IT issue.It’s an enterprise risk.

U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n

48th Annual ConferenceOrlando, FL September 23-27, 2017

10

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

Cyber Insurance Market

Cyber Insurance Market Maturity Curve

Current state of cyber insurance market

Market is rapidly growing and evolving

DeclineMaturityGrowth

2020$7.5B

$2.5B market

2025$20+B

Introductory

Sal

es

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

Cyber Market Trends

Outsourcing Mitigation StrategiesInsurers are partnering with security experts

Gaining ConsistencyCyber carries now include property coveragein their stand alone policies

Lacking ClarityCyber excluded from property policiesConfusion over primary/excess coverage

U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n

48th Annual ConferenceOrlando, FL September 23-27, 2017

11

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

Evolution

Financial Gain Business Disruption Property Damage

3rd party 1st party and 3rd party

2010-2014 2015-2017 2020

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

9/18/2017 22

The majority of cyber losses are preventable.

U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n

48th Annual ConferenceOrlando, FL September 23-27, 2017

12

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

Practical, Research-Based

Solutions

1101100010110100111000

010010

De-Mystifying Cyber Risk

Learn from the Experience of MIT

Learn from the Experience of MIT

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA201724

MIT

U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n

48th Annual ConferenceOrlando, FL September 23-27, 2017

13

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

MIT

25

2016 Cyber Attacks

Evolving Threats

Ongoing Risk Management

and Mitigation

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

MIT – 2016 Cyber AttacksIntrusion Attempt Totals (24 hr period)

26

U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n

48th Annual ConferenceOrlando, FL September 23-27, 2017

14

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

MIT – Real Time Heat Map Showing Campus Targets

27

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

MIT – Evolving Threats

28

Data Breach:Destruction, modification, theft, or disclosure of information

Top concern: Identity theft

Attack vector: Social engineering

System Integrity Breach:Denial of use, interruption of services, or loss of control Top concern: DDoS

(Distributed Denial of Service) botnets Emerging concern: Breach of

IoT (Internet-of-things) sensors, devices, and control systems

U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n

48th Annual ConferenceOrlando, FL September 23-27, 2017

15

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

MIT – IT Risk Management

29

How do we respond quickly and efficiently to mitigate/manage and minimize the loss(es) that occur

Mapping to Risk Management Framework

Action Required Reactive Planned Managed

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

MIT – Ongoing Mitigation Efforts

30

Identify: What is there to protect?

Protect: Defensive measures, safeguards available

2FA, etc.

Detect: Real-time monitoring e.g., adaptive machine-learning, etc.

Respond: Take rapid action /response

(via automation if possible)

Recover: Plan for resilience

U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n

48th Annual ConferenceOrlando, FL September 23-27, 2017

16

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

MIT – Ongoing Mitigation Efforts

31

People Strengthening our information security awareness program & expanding its scope beyond personal-information-requiring-notification (PIRN) data

Expanding the capabilities of the Information Security Office

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

MIT – Ongoing Mitigation Efforts

32

Process Enhancing the security process guidelines

published for our community at the Information Protection @ MIT website

Decreasing vulnerability windows by increasing the use of internal vulnerability scanning, and by automating responses to events

U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n

48th Annual ConferenceOrlando, FL September 23-27, 2017

17

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

MIT – Ongoing Mitigation Efforts

33

Technology Expanding the use of network segmentation, 2FA, encryption, and automated data backup

Expanding the use of real-time analytics for identification of “out-of-the-ordinary” activities

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

Identify: What is There to Protect

34

Reputational, financial, and physical harm

Confidentialityunauthorized disclosure

Integrity unauthorized modification

Availabilityaccess to resources

Personally Identifiable Information (PII) Denial of Service

Building Management Systems (IoT)

Website defacement

Research data

Admissions decisions

Credit Card Information (PCI-DSS)

Health Insurance Information (HIPAA)

U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n

48th Annual ConferenceOrlando, FL September 23-27, 2017

18

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

MIT – Identify Data Classification

35

Levels of information based on risk

Security controls for each level

Education/documentation for each control

Applications allowed at each level

In progress, goal is to have levels and controls approved by Fall 2017

LOW, MODERATE, HIGH

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

MIT – Data Classification cont.

36

LOW: Includes information that the Institute has chosen not to disclose,

but which would not result in material harm. Includes public information – good security practices should still

be followed to protect the integrity and availability of information.

MODERATE Information is not meant to be freely available to the general

public, or to the MIT community without access controls. Loss of confidentiality, integrity, or availability of these assets

could reasonably be expected to result in legal liability, reputational damage, or potential for other types of harm.

U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n

48th Annual ConferenceOrlando, FL September 23-27, 2017

19

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

MIT – Data Classification cont.

37

HIGH Information subject to legal or regulatory requirements

requiring its proper safeguarding and handling, including possible notification in the event of a breach.

The loss of confidentiality, integrity, or availability of these assets could reasonably be expected to result in serious harm to individuals or the Institute.

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

Practical, Research-Based

Solutions

1101100010110100111000

010010

De-Mystifying Cyber Risk

Practical, Research-Based Solutions

Learn from the Experience of MIT

U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n

48th Annual ConferenceOrlando, FL September 23-27, 2017

20

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

The Next Big Thing

A4

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

Cyber Risk Assessment

RiskQuality

Likelihoodand Severity

IndustrialControl

SystemsPhysical Security

InformationSecurity

Slide 39

A4 Need to use an example that is more education relatedAuthor, 6/16/2017

U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n

48th Annual ConferenceOrlando, FL September 23-27, 2017

21

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

Prevent unauthorized access, disclosure, disruption,

destruction of information.

Information Security

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

Solutions

ERM Program

Identify, Classify, Protect

Incident Response

PlanEducation

and Training

U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n

48th Annual ConferenceOrlando, FL September 23-27, 2017

22

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

Prevent malicious attacks of building automation systems,

process controls and equipment.

Industrial Control Systems

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

Solutions

Cross functional team

Industrial control systems

Critical control networks

Patch vulnerabilities

U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n

48th Annual ConferenceOrlando, FL September 23-27, 2017

23

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

Prevent unauthorized access to facilities, equipment and

information systems.

Physical Security

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

Cyber attacks require network access, which can be achieved:

Cyber Connection

REMOTELY over an internet connection

PHYSICALLY by connecting to a network port in person

U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n

48th Annual ConferenceOrlando, FL September 23-27, 2017

24

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

Solutions

Physical security risk assessment

Procedures for visitors and contractors

Secure network areas and rooms

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

Cyber Risk Assessment

RiskQuality

Likelihoodand Severity

IndustrialControl

SystemsPhysical Security

InformationSecurity

U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n

48th Annual ConferenceOrlando, FL September 23-27, 2017

25

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

Study Assess Improve Transfer

Your Mission (Should you choose to accept it…)

Cyber Risk

L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017

50