What is Cyber Liability
Ubiquitous
Warfare
Espionage
Data Security and
Data Security and Privacy
Data Breach Response Costs
Privacy Regulatory Action
Civil Litigation
Cyber Insurance Marketplace
Tailored insurance
Solutions based on your
exposures
No coverage/policy
uniformity in the marketplace
Media Liability
Arising out of the utterance
and dissemination of content
in any medium
Various Personal Injury Torts
Defamation (Libel – Slander)
Invasion of Privacy
All Intellectual Property
Infringement
except Patent
Technology Errors and Omissions
Liability to third parties from an act, error or omission in the
performance of or failure to perform your Tech Services, or
Liability to third parties from your Tech Product’s failure to
perform or serve the purpose intended
Intellectual Property Infringement
How?
storing 3
rd
party Corporate Confidential Information
Tech or Professional Services
Tech Products
Services performed for others
Content and Domain Names
Examples of:
Copyright
Title, Slogan, Logo, Trademark, Trade Name
Trade Dress, Service Mark or Service Name
Patent
EXCLUDED
Patent Infringement
Trade Secret (unless exposed via a breach)
Operational Risk (Non-War Related)
Network outage from non-physical trigger and non-tangible loss
Includes dependent business interruption to cloud providers or other
vendors
Loss of Revenue
Extra Expense
Cyber Espionage
Who?
State Sponsored or Organized Crime
What? First Party Loss of Intellectual Property
Cyber Sabotage
Stuxnet
Flame
Cyber Insurance Marketplace & Cyber Security Impact
White House Cyber Insurance
Meeting Discussion Topics:
Cyber Security Privacy
Civil Liberties and Policy
National Security
Government Approach
Cyber Security Incentives
Cyber security Insurance
Grants
Process Preference
Liability Limitation
Streamline Regulations
Public Recognition
Rate Recovery for Price Regulated Industries
Cyber Security Research
The Threat Profile
2012: 47,000 reported security incidents
Where do threats come from?
• State-sponsored attack
• Extremists (Terrorism or Hacktivist)
• Criminal gangs
• Disgruntled ex-employees
• Employees/Vendors
Also… Non-damage Interruptions
Over a period of the last 5 or so years, a computer worm named Stuxnet has targeted Iranian infrastructure, specifically believed to be aimed at the nuclear program. Although it was discovered in June 2010 it is believed it may have existed in a form from 2007 and it is still being used to attack industrial processes with attacks reported as recently as December 2012. It is believed that Stuxnet was jointly developed by the United States and Israel to target Siemens equipment which was procured secretly by the Iranians. It has since had several reincarnations as Duqu and Flame.
In October 2012, a US power company put a plant off line for three weeks after a technician of a third party contractor used an infected USB computer drive on the network.
In September 2012, Telvent, a company whose software and services are used to remotely administer and monitor large sections of the energy industry suffered a sophisticated cyber-attack which was believed to be the work of a Chinese hacking group.
In November 2011, a US water utility company in Springfield, Illinois had a pump destroyed by a team of hackers, believed to be from Russia, who infiltrated their network and used their access to operate machinery. It is also believed that access was gained after a SCADA software vendor had customer usernames and passwords stolen. There were also minor glitches observed in the remote access to the system in the months prior to the attack as well as the utility running phpmyadmin, a web-based database administration tool which would be too insecure for use at such a facility.
In June 2009, a night security guard at a Dallas hospital used his position to gain physical access to the HVAC (heating, ventilation and cooling) system where he was then able to manipulate the system. His intrusion was only discovered by a security researcher who discovered screenshots from the control systems.
In August 2005, DaimlerChrysler had to put 13 plants offline due to an internet worm called Zotob. This worm affected a number of companies with DaimlerChrysler having to shut down production for an hour while Windows systems were patched to secure a hole that had only recently been addressed by Microsoft.
In August 2003, CSX Corp had its computer system infected by the Sobig virus which was transferred via email. Usually control systems would not be affected however because there was inadequate protection the entire CSX system was affected meaning the delay and cancellation of many trains.
In January 2003, an Ohio nuclear power plant operated by First Energy had a safety monitoring system taken offline for five hours. Known as the Slammer worm, the worm entered the unsecured network of a contractor whose network was bridged with the plants corporate network which bypassed the plants firewall.
Beginning in January 2000 and lasting over 3 months, Maroochy water services were repeatedly hacked a former consultant who was refused a full time job with the local council. He made at least 46 attempts to take control of the sewage system and its various pumps expelling millions of litres of raw sewage into local parks and rivers causing over $1m of damage.
Supervisory Control & Data Acquisition
What is CL380?
Insured Events
• Accidental Damage or Destruction
• Administrative or Operational Mistakes
• Computer Crime and Computer Attacks
•
Denial of Service/Distributed Denial of Service
•
Malicious Code
•
Unauthorised Access
•
Unauthorised Use
Indemnity
What does SCADA product cover
• Business Interruption caused by an insured peril
• Business Interruption as a result of property damage caused by an insured peril
• Digital Asset Damage
• Cyber Liability
What does SCADA product NOT cover
• Physical damage – replacement costs in isolation
• Technology Service Errors & Omissions
Our Mission
To be the worldwide value and service leader in insurance brokerage, employee benefits, and risk management
Our Goal
To be the best place to do business and to work
www.lockton.com
© 2013 Lockton, Inc. All rights reserved. Images © 2013 Thinkstock. All rights reserved.
