Opening Remarks. Tom Ruggieri CEO Advisen

Opening Remarks

Tom Ruggieri

CEO Advisen

Tom Srail of Willis

Opening Remarks

Ben Beeson

Partner, Global Technology and Privacy Practice Lockton

Keynote Address

Rt Hon Lord Reid of Cardowan

A Principal at the Chertoff Group and Chair, Institute for Security and Resilience Studies

The Cyber Liability

Insurance Market

Jim Blinn

EVP, Information & Analytics Division Advisen

Slides available for

members

Risk Management

Issues and Practices

Alastair Allison

Head of Risk Information and Business Continuity

Zurich

Jeremy Smith

Head of Technology and Security Practice

Cyber Risk Management

25 February 2014 Alastair Allison rechter Rand right margin marge droite margine destra

© Z u ri c h In s u ra n c e G ro u p

Threat Actors

10

Source: Verizon Data Breach Report 2013

Staff

Staff are prone to human error and the same vulnerabilities as anyone else. They

operate the systems and know the controls and can either manipulate them to achieve their own ends or be blackmailed to steal data.

Systems

Our systems are also threats to our data if they are poorly tested, vendors are not screened, have weak controls or not kept up to date with patches and fixes.

Operating out of date systems is not necessarily a threat but must be assessed as such.

© Z u ri c h In s u ra n c e G ro u p 11

© Z u ri c h In s u ra n c e G ro u p 12

The Data Cascade

 Know where the data flows.

 1 Claim case involved the following: – 2 other insurers,

– 1 broker,

– 4 legal companies, (one non EEA)

– 3 doctors,

– 2 Police forces,

– Employer of the claimant, – UK HMRC,

– A private investigator, – the NHS,

– 2 courier firms,

– 1 engineering maintenance firm, – a manufacturing company

© Z u ri c h In s u ra n c e G ro u p 13

Information Security – The bigger

picture

Information Technology

– Portable Media Lockdown

– Data ports

– Encryption of data

– Disaster Recovery Assurance

– Administrator privileges

– Security Assessments

– IT data security enhancements (eg Data Masking, Email encryption, Data loss prevention)

– Development, implementation and operation of IT security technologies

– Assurance of IT Outsourcing Contracts

– Managing 3rd party IS / DP for global IT suppliers

– Prevention, detection, containment and recovery

Physical Security

– Clear Desk

– Entry Control

– Business Continuity

– Infrastructure review Third parties

– Contracts – Data Flows – Assurance reviews – Internal Training Human Resources – Vetting process

– Training and awareness

– Discipline

– New starters/Leavers/Movers Other

– Data retention

– Maturity model & market best practice

– ISO Standards evaluation / adherence

Governance – Accountability – Responsibility – Risk process – Oversight – Measurement & assessment – Escalation – Change Management

– Learning and development

– Communications

© Z u ri c h In s u ra n c e G ro u p 14

Risk based planning

 Use the risk assessment to: – Determine approach

– Sequence the cultural and technological improvements – Sequence communications

– Assess and respond to incidents – Allocate annual budget

– Respond to regulatory pressure – Review audit plans

© Z u ri c h In s u ra n c e Com p a n y L td CONFIDENTIAL 15

Communication



Join the business dots



Keep it

– simple

– relevant

– going

© Z u ri c h In s u ra n c e G ro u p

Key lessons

1. Executive support is vital

2. Risk based Information Security is more than just Compliance or just IT

3. Eliminating unnecessary data is a key challenge

4. Establish essential security controls. These common sense measures must be monitored

5. Early warnings are often contained in event logs

6. Ensure ownership with data champions and extend this to the supply chain

7. Integrate it into business processes especially risk management

© Z u ri c h In s u ra n c e G ro u p

IRM Cyber Risk Guidance

17

Information Security Initiative of the Year 2013 Highly Commended

2014 Network Security & Cyber Risk

Management:

The Third Annual Survey of Enterprise-wide Cyber Risk Management Practices in Europe

Who did we survey?:

•Aim of the survey is to gain insight into the current state and ongoing

trends in cyber risk management in Europe.

•Completed by 45 risk managers, insurance buyers and other risk

professionals.

•In terms of the location 62% were UK, 22% Europe, 16% row.

•The majority of respondents came from multinational enterprises with

54% with turnovers in excess of £1bn.

•33% between 5,000 and 15,000 employees.

•In terms of industry sector 29 % came form the Professional Services,

Perception of cyber risks continues to grow

• 98 percent believe cyber risks pose at least a moderate threat, up

12 percentage points from 2013

• 76 percent believe cyber risks pose a serious or extremely serious

threat, up 19 points from 2013

Cyber risks are increasingly viewed as a threat by senior executives and board members

• 76 percent say board members view cyber risks as a significant

threat, up 23 points from 2013

• 83 percent say senior executives view them as a significant threat,

SME’S

•Smaller companies (annual turnover of less than £250

million) view cyber threats more seriously than large companies (annual turnover greater than £1 billion)

Network Risk

•Network security risks are increasingly a risk management

focus

• 90 percent say they are a risk management focus

• This is up 14 percentage points from 2013 and a total of

Question: “Which department is responsible for spearheading the information or network security risk management effort?”

IT is still acknowledged as the front line defense against information losses and other cyber risks

50 percent of respondents take a multi-departmental approach to their network security risk management efforts

Other headlines:

•80 % have a written social media policy

•85% have a mobile security policy (up 16%) •63% now have a BYOD policy (up 22%)

•53% include cloud computing in the cyber risk management (up 9%) •33% purchase cyber cover. Up by 21%

In Conclusion:

•Organisations are much more educated of cyber risks.

•More organisations are proactively incorporating cyber strategies into

their risk management program and are addressing the full spectrum of cyber risk.

The Risk Manager’s

Perspective on Data Security

and Cyber Insurance

The Risk Manager’s Perspective on

Data Security and Cyber Insurance

Tim Mitchell

FINEX Global Professional Indemnity Practice Leader Willis

• Tim Mitchell, FINEX Global Professional Indemnity Practice Leader, Willis

• Julia Graham, Director of Risk Management and Insurance, DLA Piper

• Lisa Meredith, Assistant Insurance Manager, Marks and Spencer Plc

• Michael Roberts, Customer Security, RBS

The Risk Manager’s Perspective on

Data Security and Cyber Insurance

Tim

Mitchell

Willis

Julia

Graham

DLA Piper

Lisa

Meredith

Marks & Spencer

Michael

Roberts

RBS

The Risk Manager’s Perspective on

Data Security and Cyber Insurance

Insurance Coverage

and Coverage Issues

Insurance Coverage and Coverage Issues

Kristi Robles

Associate

Nelson Levine de Luca & Hamilton Moderator

Insurance Coverage and Coverage

Issues

• Kristi Robles, Associate, Nelson Levine de Luca & Hamilton

• Peter Foster, Executive Vice President, FINEX, Willis • Lisa Hansford-Smith, Senior Professional Indemnity

Underwriter XL

• Alessandro Lezzi, Head of TMB International, Beazley • Fredrik Motzfeldt, Partner, Communications, Media &

Peter Foster

Willis

Insurance Coverage and Coverage

Issues

Lisa Hansford-Smith XL Alessandro Lezzi Beazley Fredrik Motzfeldt JLT Kristi Robles Nelson Levine

Conference Luncheon

Emerging Risks and the Future of Cyber Insurance begins promptly at 13.45

Emerging Risks and the

Future of Cyber

Emerging Risks and the Future of

Cyber Insurance

Matthew Hogg

Vice President

Liberty Specialty Markets Moderator

• Matthew Hogg, Vice President, Liberty Specialty Markets • Erica Constance, Executive Director, FINEX Global

Professional Indemnity, Willis

• Graeme Newman, Director, CFC Underwriting

• Ira Scharf, Chief Strategies Officer, BitSight Technologies • Stephen Wares, Cyber Risk Practice Leader, EMEA, Marsh

Emerging Risks and the Future of

Cyber Insurance

Erica

Constance

Willis

Emerging Risks and the Future of

Cyber Insurance

Graeme Newman CFC Underwriting Ira Scharf BitSight Technologies Stephen Wares Marsh Matthew Hogg LSM

Understanding the

Noona Barlow

Head of Financial Lines Claims, EMEA AIG

Understanding the Cyber Claims

Process

Agenda



The cyber market, from a claims perspective



Claims examples



Tips for dealing with cyber claims – before and after

1. Cyber Risks 86% 2. Loss of Income 82% 3. Property Damage 80% 4. Worker’s Compensation 78% 5. Utility Interruption 76% 6. Securities/Investment Risk 76% 7. Auto/Fleet Risk 65%

* Based upon 2012 AIG survey. Percentage of respondents who indicated they were “very” or “somewhat” concerned about each specific risk from a base of 256 quantitative interviews among brokers, risk managers, C-Suite executives and

information technology decision makers, October – November 2012.

Clients’ Cyber Concerns

 80% of clients believe that it is difficult to keep up with cyber threats because they are

evolving so quickly

 74% of clients believe human

error is a significant source of

cyber risk

 82% believe hackers are the primary source of cyber threats Clients’ Top Concern is Cyber Risk*

The Cyber Landscape



Cyber AIG survey says boards are concerned about

cyber attack and data breaches



Risk managers do not buy cyber cover because the IT

department says everything is okay



Cyber insurance demand increased 33% in 2012



Only 20% of companies buy cyber cover, despite the

Is Cyber Security on the Corporate Agenda?



81% say senior management place high or very high

priority on security



42% of large organisations do not provide any ongoing

security awareness training to staff



33% of large companies say responsibilities for ensuring

data security are not clear



93% of companies where security policy is poorly

Claim Activity

Types of Data Most Often Exposed (from NetDiligence Claims

Study, 2013)

 PII – Personally Identifiable Information (33% of Events)

 PHI – Protected Health Information (27% of Events)

 Credit/Debit Card Information (19% of Events)

Causes of Loss (from NetDiligence Claims Study, 2013)

 Hacker – External (21% of Events) BUT accounted for 97% of records exposed

 Lost/Stolen Laptop or Device (21% of Events)

 Malware/Virus (19% of Events)

Claim Activity

Industries Impacted (from NetDiligence Claims Study, 2013)

• Healthcare (29% of Events)

• Financial Services (15% of Events)

Average Costs

• Average Costs

• Event Management: $346,000 (from NetDiligence Claims Study, 2013)

• Cost per record: $5.22 (from NetDiligence Claims Study, 2013) to $188

(Ponemon Cyber Study - 2013)

• Financial impact per incident: $3.5 million (from NetDiligence Claims Study, 2013)

Claims Example – Hacker



Insured provides medical and travel assistance in 70 countries



Works with governments, business, NGOs



Over 5 day period, insured’s systems compromised



Insured was advised by external security firm monitoring hackers’ websites



A month later, another breach

Claims Example – Rogue Employee

 Insured is multinational bank

 Snr Financial Analyst at insured’s subprime lending division downloaded over 2

million records

 Sold 20,000 customer profiles each week for $500 each

 Notification required to over 10 million people

 42 class actions

 Total loss to insured USD 40m

Claims Example - Hacker



Large US retailer



December 2013 breach



Insured found out from Secret Service



Malware discovered on 43,745 point of sale terminals



Over 20 day period, malware exposed credit and debit card info (including PINs) of 40m customers



Subsequent discovery that hackers accessed customer info database, accessing personal information for an additional 70 million customers

Regulatory Landscape



46 states have notification requirements



SEC – 2011: “Guidance” that companies should voluntarily disclose their cyber

exposure and how it is addressed; goal is disclosure of “material” information that would be of interest to an investor



Executive Order issued by the Obama Administration in February 2013



European Union (EU) Cyber Security Directive – 2015(?)



UK Information Commissioner



Global Awareness and Concern



A single data breach could lead to legal and regulatory action in more than

Notify, Notify, Notify

Variety of 1st _{and 3}rd _{party coverage available but notify to take advantage:}

 Event Management (manage and mitigate)

 Use of a breach coach

 Notification expenses

 Forensic investigation (evaluate location of servers and data subjects)

 Public relations consultant

 Credit monitoring service

 Identity theft insurance

 Business Interruption

Beware Knock on Activity

Target

 More than 70 class action lawsuits filed on behalf of consumers and others

 Revenue downturn and loss of prospective clients

 Investigation by DOJ and Secret Service

At least two shareholder derivative suits against D&Os

 Breach of fiduciary duty and waste of corporate assets

 Breach of fiduciary duty, gross mismanagement, waste of corporate assets

A Claim – Before and After

Before

 Recognize data is at risk and have a plan in place.

After

First need to know you had or have a breach.

 Report of lost laptop (because Human Error is an element in 75%+ of breaches)

 Log files show unauthorized access - OR

 As is the case with 86% of breaches it is discovered/reported by a third party

The ‘Real’ After Companies fall into three groups:

 Overreact and make public statements without facts

 Underreact and wait days/weeks to act

Mid-Afternoon Break

Impact of Proposed European Data Protection

Reforms begins at 15.15

Impact of Proposed

European Data

Impact of Proposed European Data

Protection Reforms

Bridget Treacy

Partner

Hunton & Williams Moderator

Impact of Proposed European Data

Protection Reforms

• Bridget Treacy, Partner, Hunton & Williams

• Jamie Bouloux, Cyber Liability Manager, Europe, AIG • John Bowman, Head of International Data Protection &

Policy, UK Ministry of Justice

• Mark Deem, Partner, Edwards Wildman Palmer UK • Jyn Schultze-Melling, Chief Privacy Officer, Allianz

Jamie Bouloux

AIG

Impact of Proposed European Data

Protection Reforms

John Bowman UK Ministry of Justice Mark Deem Edwards Wildman Jyn Schultze-Melling Allianz Bridget Treacy Hunton & Williams

Government Cyber

Government Cyber Security

Frameworks

Ben Beeson

Global Technology and Privacy Practice Partner

Lockton Moderator

• Ben Beeson, Partner, Global Technology and Privacy Practice, Lockton

• Gerald Ferguson, Partner, BakerHostetler

• Mark Fishleigh, Director, Financial Services Practice, BAE Systems

• Russell Price, Chairman, Continuity Forum

• Sarah Stephens, Head of Cyber & Commercial E&O, EMEA, Aon

Government Cyber Security

Frameworks

Gerald Ferguson BakerHostetler Mark Fishleigh BAE Systems Russell Price Continuity Forum Sarah Stephens Aon Ben Beeson Lockton

Government Cyber Security

Framework

Tom Ruggieri

CEO Advisen Moderator

The View from the Top

• Tom Ruggieri, CEO, Advisen

• Warren Downey, Head of Risk Practice Business, Member of the Board, JLT Specialty Markets

• Matthew Fairfield, Founder and Chief Executive Officer, ANV Holdings BV

• Philippe Gouraud, Head of Client Management Group and Global Risk Solutions, EMEA, AIG

• Richard Hodson, Head of Technology, Oval Insurance Broking Limited

Warren Downey JLT Philippe Gouraud AIG Richard Hodson Oval Insurance Tom Ruggieri Advisen

The View from the Top

Matt Fairfield