• No results found

Navigating Cyber Risk Exposure and Insurance. Stephen Wares EMEA Cyber Risk Practice Leader Marsh

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Navigating Cyber Risk Exposure and Insurance. Stephen Wares EMEA Cyber Risk Practice Leader Marsh"

Copied!
52
0
0

Loading.... (view fulltext now)

Download now ( 52 Page )

Full text

(1)

Navigating Cyber Risk

Exposure and Insurance

Stephen Wares

EMEA Cyber Risk Practice Leader

Marsh

(2)

Presentation Format

Four Key Questions

How important is cyber risk and how should we view the cyber

threat?

To what extent do European organisations have a clear and

documented understanding of their cyber risk profile and how

can this be improved?

Where are the gaps in knowledge and data that might impair

an organisation’s ability to make informed risk transfer

choices?

Are the insurance products available meeting client demand

or is the insurance market developing a product that clients do

not believe they need?

(3)

How important is cyber risk and how should we

view the cyber threat?

(4)

Importance of cyber risk?

Context – National Level UK

•“Attacks in cyberspace can have a potentially devastating real-world effect. Government, military, industrial, and economic targets, including critical services, could feasibly be disrupted by a capable adversary.” National Security

(5)

Importance of cyber risk?

Context – National Level USA

“Despite ever-improving network defenses, the diverse possibilities for remote hacking intrusions, supply chain operations to insert

compromised hardware or software, and malevolent activities by human insiders will hold nearly all ICT systems at risk for years to come.

In short, the cyber threat cannot be eliminated; rather, cyber risk must be managed.” Senate Armed Services Committee, February

(6)

Importance of cyber risk

Context –

European Cyber Risk Survey 2015

17%

28% 30%

25%

Top five risk. Top ten risk. Outside the top 10. Not on the corporate risk register

Where does cyber risk feature in the corporate risk register?

The fact that over half of all organisations surveyed do not have

cyber risk within the top 10 items on the risk register would suggest

a divergence from the government view.

(7)

To what extent do European organisations have a

clear and documented understanding of their cyber

(8)

Understanding of Cyber Risk

Context – European Cyber Risk Survey 2015

4% 26% 49% 21%

No understanding.

Limited understanding.

Basic understanding.

Complete understanding.

To what extent do you believe your organisation has a clear

understanding of its exposure to cyber risk?

79% of organisations reported that they have, at best, a basic

understanding of their cyber risk profiles.

(9)

Understanding of Cyber Risk

Context – European Cyber Risk Survey 2015

The fact that only slightly

more than half (57%) of

respondents have

identified one or more

cyber scenarios that could

most affect their

organisations would

…suggest that the lack of

a complete understanding

and absence/low

positioning of cyber on the

risk register is, for many

companies, filtering

through to a lack of

definition around specific

scenarios that might

impact their business.

Have you identified one or more

cyber scenarios that could most

affect your organisation?

No

Yes

(10)

Understanding Cyber Risk

Context – European Cyber Risk Survey 2015

65% 71% 75% 86% 67% 11% 75% 58% 65% 70% 50% 93% 66% 44% 76% 62% 56% 68% 11% 6% 5% 39% 9% 8% 15% 17% 7% 9% 22% 3% 6% 19% 8% 11% 24% 5% 33% 11% 5% 8% 15% 3% 30% 10% 8% 12% 15% Total Europe Belgium Turkey Switzerland Denmark France Portugal Sweden Netherlands Germany Cyprus Russia Austria & CEE

Spain Italy Poland

UK Ireland

IT function including security. Board. Risk management.

(11)

Understanding Cyber Risk

(12)

Understanding Cyber Risk

Marsh/HM Government, UK Cyber Security Report – Risk Profile

for a Large Business – Insurer View

(13)

Understanding Cyber Risk

Scenario Gathering Process

Set parameters

Which group companies, business divisions are in scope?

Malicious events versus non-malicious events.

Map the IT value chain.

Gather exposure data

Single day workshop.

Structured interviews.

Questionnaire.

Select from a menu.

Refine to create risk scenarios for material exposures

Amalgamate common/similar items.

Write up as a scenario that can be considered for quantification.

Remove immaterial items, reallocate any that don’t fit parameters.

(14)

Understanding Cyber Risk

Scenario Example

Actor

Criminal

Motivation

Acquisition of payment card details

Means of access

Remote via internet

Point of attack

Point of sale devices

Damage

• Investigation/response costs

• PCI fines and assessments

• Regulatory (ICO) fines and costs

• Civil compensation claims

o Banks

o Customers

o Shareholders

(15)

Where are the gaps in knowledge and data that

might impair an organisation’s ability to make

(16)

Preparedness for Risk Transfer

1.

An understanding of the event that is to trigger an insurance.

2.

An appreciation of the likely quantum.

(17)

The majority of

organisations

(68%) have not

yet made any

attempt to

estimate/calculate

loss estimates

making it difficult

to direct mitigation

efforts to areas of

most potential

harm.

17% 6% 10% 20% 13% 14% 10% 5% 22% 25% 9% 25% 12% 15% 6% 5% 4% 11% 10% 5% 25% 10% 4% 7% 15% 2% 5% 5% 4% 6% 6% 24% 10% 33% 10% 4% 8% 30% 16% 14% 25% 8% 14% 65% 56% 75% 67% 70% 77% 100% 62% 50% 75% 100% 78% 75% 73% 25% 66% 61%

Austria & CEE Belgium Cyprus Denmark France Germany Ireland Italy Netherlands Portugal Russia Spain Sweden Switzerland Turkey Poland UK

EUR1 million or below. EUR1 million to EUR2 million. EUR2 million to EUR5 million. EUR5 million and above. No loss estimates made.

Preparedness for Risk Transfer

(18)

Preparedness for Risk Transfer

Expert Judgement

Scale Description Financial Reputation Service / Operations

1 Negligible <$1m

(max of 1% EBITDA)

Public concern restricted to local complaints

Insignificant fall in service quality, limited interruption to

partnerships, insignificant effect on service standards

2 Significant $1m-$4.9m

(max of 4% EBITDA)

Minor adverse local/public/ media attention and complaints

Minor fall in service quality, interruption to partnerships, some minor service standards are not met

3 Major $5m-$8.9m

(max of 8% EBITDA)

Serious negative national or regional criticism

Major fall in service quality, major partnerships deteriorating,

ongoing serious disruption in service standards

4 Catastrophic >$9m

(exceeds 8% EBITDA)

Prolonged international, regional & national condemnation

Catastrophic fall in service quality, failure of several major partnerships, complete failure in service standards

(19)

Preparedness for Risk Transfer

Expert Judgement

(20)

Are the insurance products available meeting

client demand or is the insurance market

developing a product that clients do not believe

they need?

(21)

Suitability of Insurance Products

Context – European Cyber Risk Survey 2015

The insurance market continues to address the issues that represent organisations’

greatest concerns.

(22)

Suitability of Insurance Products

Context – European Cyber Risk Survey 2015

The insurance market appears to be innovating in the right direction to address the primary

concern of risk managers.

(23)

Suitability of Insurance Products

Context – European Cyber Risk Survey 2015

Over half (57%) of respondents admit to

having “insufficient knowledge” in order to assess

the insurances available.

(24)

Is this a conscious

decision not to

purchase following a

thorough evaluation of

the available insurance

products or are

companies not yet in a

position to approach

the market due to a

lack of risk profiling in

their own

organisations?

Suitability of Insurance Products

The Insurance Communications Gap

(25)
(26)

Navigating Cyber Risk

Exposure and Insurance

(27)

Thanks for your support !

LIVING AND

WORKING IN A

RISKIER WORLD

(28)

Cyber Insurance Update:

Policy Basics

First

Party

Coverage

• Business Interruption

• Loss of First Party Data

• Cyber Extortion

• Customer Notification

Expenses

• Reputational Damages

Third

Party

Coverage

• Network Security Liability

• Privacy Liability

• Multimedia Liability

• Loss of Third Party Data

(29)

Cyber Insurance Update:

Coverage Trends

Contingent Business Interruption

Administrative Costs Coverage

Regulatory Fines and Penalties Coverage

Emergency Costs

Crime Coverage

Bodily Injury / Property Damage Extensions

Cyber Exclusions under “Traditional” Property &

(30)

Cyber Insurance Trends:

Evolving Cyber Proposition

(31)

Cyber Insurance Update:

Post-Breach Remediation

(32)

5 - 24 hours

24 - 48 hours

1 hour

2 - 5 hours

Triage Call with all

stakeholders

Specialist/s

investigations /

discussions

underway

Stakeholder

update

conference call/s

Notification to

Incident Manager

24/7/365

Incident Manager

appointed

Incident Manager

First call with

Insured

Incident Manager

appoints

specialists

Next steps and

actions agreed

Stakeholder

update

conference call/s

Specialists initial

reports

Clear

Solution Plan

emerges

Immediate

mitigations if

appropriate

Clear Discovery

Plan emerges

Cyber Insurance Update:

Post-Breach Remediation

(33)

Cyber Insurance Update:

Pre-Breach Services

Risk Assessments

Contractual and

Regulatory /

Legal Review

Analysis of

Security &

Privacy Practices

Systems

Monitoring

Incident

Response

Planning

Business

Continuity

Enhancement

(34)

Cyber Insurance Update:

Purchasing Trends

0%

10%

20%

30%

40%

50%

60%

70%

2011

2012

2013

2014

2015

U.S.

Europe

Asia

(35)
(36)

Cyber risks,

a view from the industry

Philippe COTELLE

(37)

A new industrial revolution

Where

the aeronautic industry had been so a century ago…

… this is how we see this in the coming

decade :

(38)
(39)

Cyber risks exposure

Internet : a tool allowing

the sharing of

information between people in order to create an

open world

Difficulties to protect companies

and their datas from the outsid

e.

(40)

Reputation

What are the obstacles to a good

assessment of our cyber risks ?

Wrong perception

(41)

SPICE initiative

(Scenario Planning to Identify Cyber Exposure)

A program for Business impact analysis on disaster

scenarios affecting our operational capabilities

related to a cyber-event

Gathering representatives of all the functions as

well as IT and IM Security to overcome 3 hurdles :

• Explain to the operational people that we need

them

• Address the security issue with extreme care,

• Be prepared to openly discuss some potential

scenarios of exposure. No company shall

assume that

it is impossible to be hacked.

(42)

Scenarios identification

Scenario identification

• Focus on disaster scenarios

• clear hypothesis

(43)

Assessing financial costs

Assessing financial cost of each scenario

• Split scenarios in 4 different phases

• Simplify the list of impacted functions

• Compute over/under charge per scenario, per phase

10 46 88 22 Phase A Phase B Phase C Phase D 10 46 88 22

Financial costs Scenario x

Security Breach Crisis Remediation

Investments Vigilance

Security Breach Detection

(44)

Assessing financial costs

Lessons learned

NUMBERS are related to our financial exposure

There is no final number

The objective is to reach a consensus:

acceptable by everyone

(45)

Evaluate probability of occurence

Quantify the technical probability of success of

a scenario to occur

For each step of a given scenario, identify

technical ways to proceed

Rate each step with a probability of occurrence

(using internal probability scale)

Assessment performed by the local Information

Management Security

APT Kill Chain description used in the technical threat scenario

(46)

Evaluate probability of occurrence

Lessons learned

Same method but different numbers !?

2 different approaches:

• Need an homogeneous approach

• Associate to each scenario the type of hacker and their motives

If an attacker was seriously considering hacking a major company, then this must be a very strong organisation which in itself should have gathered all those unique skills and resources. Therefore their probabilities were more important.

Given the defence systems in place, in order to be successful the attacker should gather so many different skills and resources that this was very unlikely to be plausible.

As such the probabilities were therefore very low.

(47)

Next Steps

Provide a rationale for mitigation strategy

Insurance Premium cost is efficient Cost of implementing IT security % of Mitigation

IT Investment make sense to mitigate the exposure

Justify the interest of the transfer to insurance both for coverage and premium budget

• IT investment and mitigation measures to reduce the probability and severity of occurrence

• insurance then becomes complementary (and not competitive) to IT measures and can be an efficient financial tool

(48)

Challenges

The process needs to be performed regularly and be as exhaustive as possible

a strategy allowing to manage the roll out of this process across the entire organisation,

products and countries

(49)

Challenges

The insurance market needs as well to face several challenges :

Conditions of dialog with the insurers

Problem of reputation in case of a claim

(50)

Conclusion

Our mission to support technological development and to develop the

conditions of securing and mitigating the unavoidable risks that such

opportunities generate.

Cybersecurity is one of the key priority for Airbus Group

A dedicated entity: Airbus DS Cybersecurity

Its products and services are also offered to external companies to

fight against cyber threats.

 Active Cyber risk management is a key message

towards external stakeholders.

 Standards for cyber risk assessment will be

necessary

(51)

Don’t forget!

Your evaluation and comments are the only way for FERMA

to obtain information in order to improve the quality of the

sessions

Please fill in the documents given to you by our hostesses

Or

Use the mobile application and earn points for the

(52)

References

Download now ( PDF - 52 Page - 4.83 MB )

Related documents

Modelling the Conceptual Design Process with Hybridization of TRIZ Methodology and Systematic Design Approach

Often designers and engineers who are familiar with TRIZ work with a mixture of TRIZ with other problem solving and management tools [4] for further understanding and identifying

Passive Survivability in Residential Buildings during Heat Waves under Dynamic Exterior Conditions

Dynamic thermal simulations were carried out for the two cases considered.. Outdoor Air Temperature and simulated indoor dry-bulb temperatures and deltas for the dates of the

Udf Typologies

(example: inancing o urban regeneration investments) 18 Figure 8: Portolio classiication o speciic urban development projects 18 Figure 9: Dimensions o a UDF

Part A: Understanding the problem 11. How often are psychoactive substances found in drivers seriously injured or killed in road traffic accidents?

Results of the study that aimed at analysing prevalence of substances used by killed drivers and estimating relative risk among fatally injured drivers responsible for fatal

K&L Gates Antitrust, Competition and Trade Law Practice

We represent clients before competition authorities around the world, such as the Antitrust Division of the DOJ and the FTC; other US regulatory agencies with jurisdiction

Studenica Marble: Significance, Use, Conservation

Since this is about a complex explanatory research process, the following goals are set: To establish a special significance of Studenica marble, which will enable a more

The Influence of Sample Size on Parameter Estimates in Three-Level Random-Effects Models

Abbreviations: COM, simulated condition indicating complete data without missing values; DrOP2, simulation condition indicating data with a dropout pattern such that 20% of

Sheriff's Office of York County

Adam Warner, 25, of York, (2) York County Court of Common Pleas criminal warrants for Possession with Intent to Deliver a Controlled Substance and Theft by Unlawful Taking