Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Actuarial Society 2017 Convention 17-18 October 2017
You’ve been hacked
Riekie Gordon & Roger Truebody &
Alexandra Schudel
Actuarial Society 2017 Convention 17-18 October 2017
Why should you care?
2
U$4.6 - U$121 billion
U$45 billion not covered
- Lloyds
Actuarial Society 2017 Convention 17-18 October 2017
The plot thickens…
3
2016 Barkly Survey: “It’s a business model that
works and you don’t need
a lot of investment to
actually get a decent
return,” Tim Wellsmore, of
Fireeye, a network security
company52% not planning security changes
33% of IT professionals hacked
Actuarial Society 2017 Convention 17-18 October 2017
SUPPLIERS
& PARTNERS
EMPLOYEES REPUTATIONAL DAMAGE
DATA LOSS
BUSINESS INTERRUPTION
EMAIL SYSTEM
Why should you care?
4
Actuarial Society 2017 Convention 17-18 October 2017
AGENDA
1. Cyber drivers
2. Dealing with it
3. Integration
4. Transfer
5
Actuarial Society 2017 Convention 17-18 October 2017
Cyber drivers: If you only remembered
five things!
6
1. Introduced by connected technology, impact is primarily experienced at a business level
2. This is a pervasive risk, dealt with via programmes, not projects.
3. Management oversees risk, monitoring relevant policies and procedures, plays a significant strategic
role in overseeing and interrogating response to the cyber threat.
4. Management is including cyber risk as a regular agenda item (often as a “Top 5 risk”), are mandating
sub-committee’s (e.g. Risk, Audit)- to oversee management and response to this risk.
5. Management need to understand the defensive value chain and the link it to other macro business
developments.
refer to the impact factors of a cyber attack.
Actuarial Society 2017 Convention 17-18 October 2017
Social
engineering
PhishingBotnetsExploits
Ransomware
& doxxing
DDoS
Website
compromise
Password
theft
Evasion
tactics
Cyber drivers: Tools, tactics &
procedures
7
Actuarial Society 2017 Convention 17-18 October 2017
Understanding your threat landscape is the start
Suppliers
& partners
Employees
Mobile
devices
Smart
devices
Customers
Cyber drivers: Threat vectors
8
Actuarial Society 2017 Convention 17-18 October 2017
What do you stand to lose?
Reality check: Examples
• R300 million ($19 million) from ATMs
• Social engineering
• Employees
• Lawsuits total $1 billion.
• Website compromise??
• Password theft
• Target CEO & head of technology fired
• Employees
• Password theft
9
Actuarial Society 2017 Convention 17-18 October 2017
Cyber drivers: Accountability
• Board level obligation to extend due care (King IV report)
• Personal executive accountability
Considerations:
• Measuring and managing it
• Confidentiality and regulatory frameworks
• Brand, reputation and market perception
• Security as a market differentiator
• Diffusion of commercial benefit
10
Actuarial Society 2017 Convention 17-18 October 2017
How were the Gupta
emails leaked?
Reality check: Examples
11
Actuarial Society 2017 Convention 17-18 October 201712
Dealing with it…10 Key questions
1. Do we demonstrate effective management of cyber risk?
2. Do we have the right leader and talent?
3. Do we have appropriate cyber risk escalation frameworks, risk appetite, and reporting thresholds?
4. Do we focused on, and invest in the right things? If so, we evaluate and measure the results of our decisions?
5. How do our cyber risk programmes and capabilities align to our peers?
6. Do we have a cyber-focused culture, organisation wide?
7. What have we done to protect the organisation against third-party cyber risks?
8. Can we rapidly contain damages and mobilise response resources when a cyber incident occurs?
9. How do we evaluate the effectiveness of our organisation’s cyber risk programme?
10. Are we a strong and secure link in the highly connected ecosystems in which we operate?
Refer to “Assessing cyber risk - Critical questions for the Board and C-suite”.
Actuarial Society 2017 Convention 17-18 October 2017
In our response/approach, how have we considered:
• Action plan
13
Cyber program & governance
Possible tactics
What are they after
Who might attack
Dealing with it…
Actuarial Society 2017 Convention 17-18 October 2017
Risk Management driven CYBER SECURITY, MEANS THAT Risk exposure dictates the allocation of budget
and effort
Dealing with it…
14
Integrate cyber
strategy with
business strategy
Protecting the heart
of the business, critical
operations
Identify and
protect your crown
jewels, data
Don’t allow gaps to
leave you exposed
Develop a strong
cybersecurity framework
Non-negotiable
areas to fortify
Security starts at the top: Put a
senior executive
at the helm
Actuarial Society 2017 Convention 17-18 October 2017
Managing cyber risks:
• Action plan
15
Dealing with it…
Your actual defences against an attack, including everything from cybersecurity strategies to policies and procedures to systems and controls.
Your early warning systems, which enable you to identify potential threats before they hit, and to quickly detect attacks and breaches as they occur.
Your ability to respond quickly to attacks, and to bounce back quickly with minimal impact on your organisation, reputation and brand.
Secure Vigilant Resilient
Actuarial Society 2017 Convention 17-18 October 2017
Integration
16
Bu
llet
Da
sh
Su
b-b
ullet
Processes &
procedures Risk Appetite
Risk/ ORSA
policy
SAM / ERM
framework
Measuring /
quantifying
Risk RegisterReporting
structures
Actuarial Society 2017 Convention 17-18 October 2017
The Insurance Involvement
Broker/ Benchmark
Insurer - Incident Response Platform
Risk Management/ Simulations/ Environment Analysis
17
Actuarial Society 2017 Convention 17-18 October 2017
What was clearly affected? Define strategy
What information do we have? Where is it? Pathways?
Type of attack Pre-defined strategy
Cyber event: the first 24 hours
1. Pre Event: risk profile analysis and landscape analysis
2. Pre-Event: artefact collection – digital footprint
3. Event: analysis of actual incident
18
Actuarial Society 2017 Convention 17-18 October 2017
IT ForensicsFirst
notification of
loss
Regulatory
NotificationExtortion
Public
Notification
Public
Relations
Incident manager
Identity
protection
Legal
Incident Response Network
19
Actuarial Society 2017 Convention 17-18 October 2017
Privacy Liability
The Coverage
Wrongful disclosure of
personal & corporate
information
• Defence Expenses
• Legal Liability
• Regulatory Defence Expenses
• Privacy Related Fines/Penalties
20
Actuarial Society 2017 Convention 17-18 October 2017
Security Liability
The Coverage
Failure to deter a
Computer Malicious
act
• Defence Expenses
• Legal Liability
• Regulatory Defence Expenses
• Privacy Related Fines/Penalties
21
Actuarial Society 2017 Convention 17-18 October 2017
Incident Response costs
The Coverage
Incident Management,
Forensic Investigation,
Notification,
Fraud Remediation,
Legal Consultation,
Public Relations,
22
Actuarial Society 2017 Convention 17-18 October 2017
Internet media liability
The Coverage
Electronic Media Content
Defence Expenses & Legal liability for:
• IPR infringement
• Defamation/Libel/Slander
• Negligence
23
Actuarial Society 2017 Convention 17-18 October 2017
Cyber Extortion
The Coverage
Expense & Extortion payments
arising from threats to exploit
vulnerabilities or release information
- Ransomware
24
Actuarial Society 2017 Convention 17-18 October 2017
DATA ASSET LOSSBUSINESS INTERRUPTION
The Coverage
&
Business Income Loss
and Recovery Costs
arising from network
outage…
25
Actuarial Society 2017 Convention 17-18 October 2017
DATA ASSET LOSSBUSINESS INTERRUPTION
The Coverage
&
Recovery Costs to deal
with loss/corruption of
data…
26
Actuarial Society 2017 Convention 17-18 October 2017
DATA ASSET LOSSBUSINESS INTERRUPTION
The Coverage
&
… Caused by
• Computer Malicious Acts
• Malware & Hacking
• Unauthorised Use or Access
• Programming/ Human Error
• Power Failure
27
Actuarial Society 2017 Convention 17-18 October 2017
Claims examples: Ransomware
• Car components manufacturing company
• Malicious link
• Malware, encrypting information
• Demand R100,000
• Incident response manager
• IT forensic investigator
• Determine whether the company can avoid paying the ransom
Network Security Liability• Failure of insured’s network security
Cyber Extortion:• Costs addressing threats unless extortion
monies are paid.• Information technology consultant fees
Data Asset Loss • Costs of replacing lost/ corrupt data
Incident Response Expenses• Forensic investigation costs• Legal consultation fees• Incident Response Manager fees
28
Actuarial Society 2017 Convention 17-18 October 2017
Claims examples: Disparagement via
• Internal email containing negative comments regarding a service provider
• Forwarded internally and eventually sent externally
• The email is seen by the service provider
• Defamation lawsuit for harming the service provider’s reputation
Media Liability:
• Third party claims arising from Insured’s Internet
media activities.
• Wrongful Acts include product defamation,
disparagement, trade, libel, false light,
plagiarism.
• Defence and settlement costs for claims from
service provider.
Incident Response Expenses
• Crisis communication services
• Public relations expert fees to minimise
reputational impact
• Incident response manager fees
29
Actuarial Society 2017 Convention 17-18 October 2017
Claims count by trigger
Hack 30%
Human error 18%
Lost/Stolen devices 15%
Rogue Employees 12%
Unknown 12%
Privacy Policy 6%
Paper 5%
Software Error 2%
30
Actuarial Society 2017 Convention 17-18 October 2017
Claims count by industry
Healthcare 31%
Professional Services 15%
Technology 10%
Retail 8%
Financial Institutions 8%
Education 7%
Travel & Hospitality 6%
31
Actuarial Society 2017 Convention 17-18 October 2017
Cyber Claims and Industry Trends
Triggers by Industry Segment
0%
5%
10%
15%
20%
25%
Hack Rogue
Employee
Lost/Stolen
Devices
Human
Error
Privacy
Policy
7%
25%
18%21%
10%
Healthcare
0%
10%
20%
30%
40%
Hack Rogue
Employee
Lost/Stolen
Devices
Human
Error
Privacy
Policy
37%
7%
19%
13%6%
Financial Institutions
32
Actuarial Society 2017 Convention 17-18 October 2017
Cyber Claims and Industry Trends
Triggers by Industry Segment
0%
5%
10%
15%
20%
25%
30%
Hack Rogue
Employee
Lost/Stolen
Devices
Human
Error
Privacy
Policy
23%
10%
26%
20%
5%
Professional Services
0%
20%
40%
60%
80%
Hack Paper Human
Error
Unknown Privacy
Policy
64%
7% 11% 7%12%
Public Entity
33
Actuarial Society 2017 Convention 17-18 October 2017
What is not covered?
• Deliberate fraud/ dishonesty (final adjudication) – Rogue Employees
covered
• Bodily Injury or Property Damage
• Internet service provider hosting your website (unless under your
control)
• Acts of war – Cyber Terrorism is covered
• Unauthorised collection of Personal Data – unintentional is covered
• Equipment/ hardware
34
Actuarial Society 2017 Convention 17-18 October 2017
Considerations
• Capacity available in the market
• What limit is appropriate
• Quantification
• Follow on D&O claims
• Complex to understand – fear of IT
35
Actuarial Society 2017 Convention 17-18 October 2017
Considerations cont.
• Condition Precedent language – beware
• Systemic breaches a possibility
• Scale of losses for insurance market
• What is needed to quote
36
Actuarial Society 2017 Convention 17-18 October 2017
• According to PwC’s report Global Economic Crime Survey 2016, 32% of
South African organisations have experienced cybercrime, and it is the
fourth most reported type of economic crime in the country, and second
internationally.
37
Actuarial Society 2017 Convention 17-18 October 2017
Why should you care?
38
Take it seriously
Actuarial Society 2017 Convention 17-18 October 2017
So what…
• Do you understand your risk?
• How much exposure do you have?
• Do you need to change controls or be more pro-active
about training or cyber-watch?
• The risk is not going away, are you prepared?
39