Navigating Cyber Risk
Exposure and Insurance
Stephen Wares
EMEA Cyber Risk Practice Leader
Marsh
Presentation Format
Four Key Questions
How important is cyber risk and how should we view the cyber
threat?
To what extent do European organisations have a clear and
documented understanding of their cyber risk profile and how
can this be improved?
Where are the gaps in knowledge and data that might impair
an organisation’s ability to make informed risk transfer
choices?
Are the insurance products available meeting client demand
or is the insurance market developing a product that clients do
not believe they need?
How important is cyber risk and how should we
view the cyber threat?
Importance of cyber risk?
Context – National Level UK
•“Attacks in cyberspace can have a potentially devastating real-world effect. Government, military, industrial, and economic targets, including critical services, could feasibly be disrupted by a capable adversary.” National Security
Importance of cyber risk?
Context – National Level USA
“Despite ever-improving network defenses, the diverse possibilities for remote hacking intrusions, supply chain operations to insert
compromised hardware or software, and malevolent activities by human insiders will hold nearly all ICT systems at risk for years to come.
In short, the cyber threat cannot be eliminated; rather, cyber risk must be managed.” Senate Armed Services Committee, February
Importance of cyber risk
Context –
European Cyber Risk Survey 2015
17%
28% 30%
25%
Top five risk. Top ten risk. Outside the top 10. Not on the corporate risk register
Where does cyber risk feature in the corporate risk register?
The fact that over half of all organisations surveyed do not have
cyber risk within the top 10 items on the risk register would suggest
a divergence from the government view.
To what extent do European organisations have a
clear and documented understanding of their cyber
Understanding of Cyber Risk
Context – European Cyber Risk Survey 2015
4% 26% 49% 21%
No understanding.
Limited understanding.
Basic understanding.
Complete understanding.
To what extent do you believe your organisation has a clear
understanding of its exposure to cyber risk?
79% of organisations reported that they have, at best, a basic
understanding of their cyber risk profiles.
Understanding of Cyber Risk
Context – European Cyber Risk Survey 2015
The fact that only slightly
more than half (57%) of
respondents have
identified one or more
cyber scenarios that could
most affect their
organisations would
…suggest that the lack of
a complete understanding
and absence/low
positioning of cyber on the
risk register is, for many
companies, filtering
through to a lack of
definition around specific
scenarios that might
impact their business.
Have you identified one or more
cyber scenarios that could most
affect your organisation?
No
Yes
Understanding Cyber Risk
Context – European Cyber Risk Survey 2015
65% 71% 75% 86% 67% 11% 75% 58% 65% 70% 50% 93% 66% 44% 76% 62% 56% 68% 11% 6% 5% 39% 9% 8% 15% 17% 7% 9% 22% 3% 6% 19% 8% 11% 24% 5% 33% 11% 5% 8% 15% 3% 30% 10% 8% 12% 15% Total Europe Belgium Turkey Switzerland Denmark France Portugal Sweden Netherlands Germany Cyprus Russia Austria & CEE
Spain Italy Poland
UK Ireland
IT function including security. Board. Risk management.
Understanding Cyber Risk
Understanding Cyber Risk
Marsh/HM Government, UK Cyber Security Report – Risk Profile
for a Large Business – Insurer View
Understanding Cyber Risk
Scenario Gathering Process
Set parameters
Which group companies, business divisions are in scope?
Malicious events versus non-malicious events.
Map the IT value chain.
Gather exposure data
Single day workshop.
Structured interviews.
Questionnaire.
Select from a menu.
Refine to create risk scenarios for material exposures
Amalgamate common/similar items.
Write up as a scenario that can be considered for quantification.
Remove immaterial items, reallocate any that don’t fit parameters.
Understanding Cyber Risk
Scenario Example
Actor
Criminal
Motivation
Acquisition of payment card details
Means of access
Remote via internet
Point of attack
Point of sale devices
Damage
• Investigation/response costs
• PCI fines and assessments
• Regulatory (ICO) fines and costs
• Civil compensation claims
o Banks
o Customers
o Shareholders
Where are the gaps in knowledge and data that
might impair an organisation’s ability to make
Preparedness for Risk Transfer
1.
An understanding of the event that is to trigger an insurance.
2.
An appreciation of the likely quantum.
The majority of
organisations
(68%) have not
yet made any
attempt to
estimate/calculate
loss estimates
making it difficult
to direct mitigation
efforts to areas of
most potential
harm.
17% 6% 10% 20% 13% 14% 10% 5% 22% 25% 9% 25% 12% 15% 6% 5% 4% 11% 10% 5% 25% 10% 4% 7% 15% 2% 5% 5% 4% 6% 6% 24% 10% 33% 10% 4% 8% 30% 16% 14% 25% 8% 14% 65% 56% 75% 67% 70% 77% 100% 62% 50% 75% 100% 78% 75% 73% 25% 66% 61%Austria & CEE Belgium Cyprus Denmark France Germany Ireland Italy Netherlands Portugal Russia Spain Sweden Switzerland Turkey Poland UK
EUR1 million or below. EUR1 million to EUR2 million. EUR2 million to EUR5 million. EUR5 million and above. No loss estimates made.
Preparedness for Risk Transfer
Preparedness for Risk Transfer
Expert Judgement
Scale Description Financial Reputation Service / Operations
1 Negligible <$1m
(max of 1% EBITDA)
Public concern restricted to local complaints
Insignificant fall in service quality, limited interruption to
partnerships, insignificant effect on service standards
2 Significant $1m-$4.9m
(max of 4% EBITDA)
Minor adverse local/public/ media attention and complaints
Minor fall in service quality, interruption to partnerships, some minor service standards are not met
3 Major $5m-$8.9m
(max of 8% EBITDA)
Serious negative national or regional criticism
Major fall in service quality, major partnerships deteriorating,
ongoing serious disruption in service standards
4 Catastrophic >$9m
(exceeds 8% EBITDA)
Prolonged international, regional & national condemnation
Catastrophic fall in service quality, failure of several major partnerships, complete failure in service standards
Preparedness for Risk Transfer
Expert Judgement
Are the insurance products available meeting
client demand or is the insurance market
developing a product that clients do not believe
they need?
Suitability of Insurance Products
Context – European Cyber Risk Survey 2015
The insurance market continues to address the issues that represent organisations’
greatest concerns.
Suitability of Insurance Products
Context – European Cyber Risk Survey 2015
The insurance market appears to be innovating in the right direction to address the primary
concern of risk managers.
Suitability of Insurance Products
Context – European Cyber Risk Survey 2015
Over half (57%) of respondents admit to
having “insufficient knowledge” in order to assess
the insurances available.
Is this a conscious
decision not to
purchase following a
thorough evaluation of
the available insurance
products or are
companies not yet in a
position to approach
the market due to a
lack of risk profiling in
their own
organisations?
Suitability of Insurance Products
The Insurance Communications Gap
Navigating Cyber Risk
Exposure and Insurance
Thanks for your support !
LIVING AND
WORKING IN A
RISKIER WORLD
Cyber Insurance Update:
Policy Basics
First
Party
Coverage
• Business Interruption
• Loss of First Party Data
• Cyber Extortion
• Customer Notification
Expenses
• Reputational Damages
Third
Party
Coverage
• Network Security Liability
• Privacy Liability
• Multimedia Liability
• Loss of Third Party Data
Cyber Insurance Update:
Coverage Trends
Contingent Business Interruption
Administrative Costs Coverage
Regulatory Fines and Penalties Coverage
Emergency Costs
Crime Coverage
Bodily Injury / Property Damage Extensions
Cyber Exclusions under “Traditional” Property &
Cyber Insurance Trends:
Evolving Cyber Proposition
Cyber Insurance Update:
Post-Breach Remediation
5 - 24 hours
24 - 48 hours
1 hour
2 - 5 hours
Triage Call with all
stakeholders
Specialist/s
investigations /
discussions
underway
Stakeholder
update
conference call/s
Notification to
Incident Manager
24/7/365
Incident Manager
appointed
Incident Manager
First call with
Insured
Incident Manager
appoints
specialists
Next steps and
actions agreed
Stakeholder
update
conference call/s
Specialists initial
reports
Clear
Solution Plan
emerges
Immediate
mitigations if
appropriate
Clear Discovery
Plan emerges
Cyber Insurance Update:
Post-Breach Remediation
Cyber Insurance Update:
Pre-Breach Services
Risk Assessments
Contractual and
Regulatory /
Legal Review
Analysis of
Security &
Privacy Practices
Systems
Monitoring
Incident
Response
Planning
Business
Continuity
Enhancement
Cyber Insurance Update:
Purchasing Trends
0%
10%
20%
30%
40%
50%
60%
70%
2011
2012
2013
2014
2015
U.S.
Europe
Asia
Cyber risks,
a view from the industry
Philippe COTELLE
A new industrial revolution
Where
the aeronautic industry had been so a century ago…
… this is how we see this in the coming
decade :
Cyber risks exposure
Internet : a tool allowing
the sharing of
information between people in order to create an
open world
Difficulties to protect companies
and their datas from the outsid
e.
Reputation
What are the obstacles to a good
assessment of our cyber risks ?
Wrong perception
SPICE initiative
(Scenario Planning to Identify Cyber Exposure)
A program for Business impact analysis on disaster
scenarios affecting our operational capabilities
related to a cyber-event
Gathering representatives of all the functions as
well as IT and IM Security to overcome 3 hurdles :
• Explain to the operational people that we need
them
• Address the security issue with extreme care,
• Be prepared to openly discuss some potential
scenarios of exposure. No company shall
assume that
it is impossible to be hacked.
Scenarios identification
Scenario identification
• Focus on disaster scenarios
• clear hypothesis
Assessing financial costs
Assessing financial cost of each scenario
• Split scenarios in 4 different phases
• Simplify the list of impacted functions
• Compute over/under charge per scenario, per phase
10 46 88 22 Phase A Phase B Phase C Phase D 10 46 88 22
…
Financial costs Scenario xSecurity Breach Crisis Remediation
Investments Vigilance
Security Breach Detection
Assessing financial costs
Lessons learned
NUMBERS are related to our financial exposure
There is no final number
The objective is to reach a consensus:
acceptable by everyone
Evaluate probability of occurence
Quantify the technical probability of success of
a scenario to occur
•
For each step of a given scenario, identify
technical ways to proceed
•
Rate each step with a probability of occurrence
(using internal probability scale)
Assessment performed by the local Information
Management Security
APT Kill Chain description used in the technical threat scenario
Evaluate probability of occurrence
Lessons learned
Same method but different numbers !?
2 different approaches:
• Need an homogeneous approach
• Associate to each scenario the type of hacker and their motives
If an attacker was seriously considering hacking a major company, then this must be a very strong organisation which in itself should have gathered all those unique skills and resources. Therefore their probabilities were more important.
Given the defence systems in place, in order to be successful the attacker should gather so many different skills and resources that this was very unlikely to be plausible.
As such the probabilities were therefore very low.
Next Steps
Provide a rationale for mitigation strategy
Insurance Premium cost is efficient Cost of implementing IT security % of Mitigation
IT Investment make sense to mitigate the exposure
Justify the interest of the transfer to insurance both for coverage and premium budget
• IT investment and mitigation measures to reduce the probability and severity of occurrence
• insurance then becomes complementary (and not competitive) to IT measures and can be an efficient financial tool