Opening Remarks
Tom Ruggieri
CEO Advisen
Tom Srail of Willis
Opening Remarks
Ben Beeson
Partner, Global Technology and Privacy Practice Lockton
Keynote Address
Rt Hon Lord Reid of Cardowan
A Principal at the Chertoff Group and Chair, Institute for Security and Resilience Studies
The Cyber Liability
Insurance Market
Jim Blinn
EVP, Information & Analytics Division Advisen
Slides available for
members
Risk Management
Issues and Practices
Alastair Allison
Head of Risk Information and Business Continuity
Zurich
Jeremy Smith
Head of Technology and Security Practice
Cyber Risk Management
25 February 2014 Alastair Allison rechter Rand right margin marge droite margine destra© Z u ri c h In s u ra n c e G ro u p
Threat Actors
10Source: Verizon Data Breach Report 2013
Staff
Staff are prone to human error and the same vulnerabilities as anyone else. They
operate the systems and know the controls and can either manipulate them to achieve their own ends or be blackmailed to steal data.
Systems
Our systems are also threats to our data if they are poorly tested, vendors are not screened, have weak controls or not kept up to date with patches and fixes.
Operating out of date systems is not necessarily a threat but must be assessed as such.
© Z u ri c h In s u ra n c e G ro u p 11
© Z u ri c h In s u ra n c e G ro u p 12
The Data Cascade
Know where the data flows.
1 Claim case involved the following: – 2 other insurers,
– 1 broker,
– 4 legal companies, (one non EEA)
– 3 doctors,
– 2 Police forces,
– Employer of the claimant, – UK HMRC,
– A private investigator, – the NHS,
– 2 courier firms,
– 1 engineering maintenance firm, – a manufacturing company
© Z u ri c h In s u ra n c e G ro u p 13
Information Security – The bigger
picture
Information Technology
– Portable Media Lockdown
– Data ports
– Encryption of data
– Disaster Recovery Assurance
– Administrator privileges
– Security Assessments
– IT data security enhancements (eg Data Masking, Email encryption, Data loss prevention)
– Development, implementation and operation of IT security technologies
– Assurance of IT Outsourcing Contracts
– Managing 3rd party IS / DP for global IT suppliers
– Prevention, detection, containment and recovery
Physical Security
– Clear Desk
– Entry Control
– Business Continuity
– Infrastructure review Third parties
– Contracts – Data Flows – Assurance reviews – Internal Training Human Resources – Vetting process
– Training and awareness
– Discipline
– New starters/Leavers/Movers Other
– Data retention
– Maturity model & market best practice
– ISO Standards evaluation / adherence
Governance – Accountability – Responsibility – Risk process – Oversight – Measurement & assessment – Escalation – Change Management
– Learning and development
– Communications
© Z u ri c h In s u ra n c e G ro u p 14
Risk based planning
Use the risk assessment to: – Determine approach
– Sequence the cultural and technological improvements – Sequence communications
– Assess and respond to incidents – Allocate annual budget
– Respond to regulatory pressure – Review audit plans
© Z u ri c h In s u ra n c e Com p a n y L td CONFIDENTIAL 15
Communication
Join the business dots
Keep it
– simple
– relevant
– going
© Z u ri c h In s u ra n c e G ro u p
Key lessons
1. Executive support is vital
2. Risk based Information Security is more than just Compliance or just IT
3. Eliminating unnecessary data is a key challenge
4. Establish essential security controls. These common sense measures must be monitored
5. Early warnings are often contained in event logs
6. Ensure ownership with data champions and extend this to the supply chain
7. Integrate it into business processes especially risk management
© Z u ri c h In s u ra n c e G ro u p
IRM Cyber Risk Guidance
17
Information Security Initiative of the Year 2013 Highly Commended
2014 Network Security & Cyber Risk
Management:
The Third Annual Survey of Enterprise-wide Cyber Risk Management Practices in Europe
Who did we survey?:
•Aim of the survey is to gain insight into the current state and ongoing
trends in cyber risk management in Europe.
•Completed by 45 risk managers, insurance buyers and other risk
professionals.
•In terms of the location 62% were UK, 22% Europe, 16% row.
•The majority of respondents came from multinational enterprises with
54% with turnovers in excess of £1bn.
•33% between 5,000 and 15,000 employees.
•In terms of industry sector 29 % came form the Professional Services,
Perception of cyber risks continues to grow
• 98 percent believe cyber risks pose at least a moderate threat, up
12 percentage points from 2013
• 76 percent believe cyber risks pose a serious or extremely serious
threat, up 19 points from 2013
Cyber risks are increasingly viewed as a threat by senior executives and board members
• 76 percent say board members view cyber risks as a significant
threat, up 23 points from 2013
• 83 percent say senior executives view them as a significant threat,
SME’S
•Smaller companies (annual turnover of less than £250
million) view cyber threats more seriously than large companies (annual turnover greater than £1 billion)
Network Risk
•Network security risks are increasingly a risk management
focus
• 90 percent say they are a risk management focus
• This is up 14 percentage points from 2013 and a total of
Question: “Which department is responsible for spearheading the information or network security risk management effort?”
IT is still acknowledged as the front line defense against information losses and other cyber risks
50 percent of respondents take a multi-departmental approach to their network security risk management efforts
Other headlines:
•80 % have a written social media policy
•85% have a mobile security policy (up 16%) •63% now have a BYOD policy (up 22%)
•53% include cloud computing in the cyber risk management (up 9%) •33% purchase cyber cover. Up by 21%
In Conclusion:
•Organisations are much more educated of cyber risks.
•More organisations are proactively incorporating cyber strategies into
their risk management program and are addressing the full spectrum of cyber risk.
The Risk Manager’s
Perspective on Data Security
and Cyber Insurance
The Risk Manager’s Perspective on
Data Security and Cyber Insurance
Tim Mitchell
FINEX Global Professional Indemnity Practice Leader Willis
• Tim Mitchell, FINEX Global Professional Indemnity Practice Leader, Willis
• Julia Graham, Director of Risk Management and Insurance, DLA Piper
• Lisa Meredith, Assistant Insurance Manager, Marks and Spencer Plc
• Michael Roberts, Customer Security, RBS
The Risk Manager’s Perspective on
Data Security and Cyber Insurance
Tim
Mitchell
Willis
Julia
Graham
DLA Piper
Lisa
Meredith
Marks & Spencer
Michael
Roberts
RBS
The Risk Manager’s Perspective on
Data Security and Cyber Insurance
Insurance Coverage
and Coverage Issues
Insurance Coverage and Coverage Issues
Kristi Robles
Associate
Nelson Levine de Luca & Hamilton Moderator
Insurance Coverage and Coverage
Issues
• Kristi Robles, Associate, Nelson Levine de Luca & Hamilton
• Peter Foster, Executive Vice President, FINEX, Willis • Lisa Hansford-Smith, Senior Professional Indemnity
Underwriter XL
• Alessandro Lezzi, Head of TMB International, Beazley • Fredrik Motzfeldt, Partner, Communications, Media &
Peter Foster
Willis
Insurance Coverage and Coverage
Issues
Lisa Hansford-Smith XL Alessandro Lezzi Beazley Fredrik Motzfeldt JLT Kristi Robles Nelson LevineConference Luncheon
Emerging Risks and the Future of Cyber Insurance begins promptly at 13.45
Emerging Risks and the
Future of Cyber
Emerging Risks and the Future of
Cyber Insurance
Matthew Hogg
Vice President
Liberty Specialty Markets Moderator
• Matthew Hogg, Vice President, Liberty Specialty Markets • Erica Constance, Executive Director, FINEX Global
Professional Indemnity, Willis
• Graeme Newman, Director, CFC Underwriting
• Ira Scharf, Chief Strategies Officer, BitSight Technologies • Stephen Wares, Cyber Risk Practice Leader, EMEA, Marsh
Emerging Risks and the Future of
Cyber Insurance
Erica
Constance
Willis
Emerging Risks and the Future of
Cyber Insurance
Graeme Newman CFC Underwriting Ira Scharf BitSight Technologies Stephen Wares Marsh Matthew Hogg LSMUnderstanding the
Noona Barlow
Head of Financial Lines Claims, EMEA AIG
Understanding the Cyber Claims
Process
Agenda
The cyber market, from a claims perspective
Claims examples
Tips for dealing with cyber claims – before and after1. Cyber Risks 86% 2. Loss of Income 82% 3. Property Damage 80% 4. Worker’s Compensation 78% 5. Utility Interruption 76% 6. Securities/Investment Risk 76% 7. Auto/Fleet Risk 65%
* Based upon 2012 AIG survey. Percentage of respondents who indicated they were “very” or “somewhat” concerned about each specific risk from a base of 256 quantitative interviews among brokers, risk managers, C-Suite executives and
information technology decision makers, October – November 2012.
Clients’ Cyber Concerns
80% of clients believe that it is difficult to keep up with cyber threats because they are
evolving so quickly
74% of clients believe human
error is a significant source of
cyber risk
82% believe hackers are the primary source of cyber threats Clients’ Top Concern is Cyber Risk*
The Cyber Landscape
Cyber AIG survey says boards are concerned aboutcyber attack and data breaches
Risk managers do not buy cyber cover because the ITdepartment says everything is okay
Cyber insurance demand increased 33% in 2012
Only 20% of companies buy cyber cover, despite theIs Cyber Security on the Corporate Agenda?
81% say senior management place high or very highpriority on security
42% of large organisations do not provide any ongoingsecurity awareness training to staff
33% of large companies say responsibilities for ensuringdata security are not clear
93% of companies where security policy is poorlyClaim Activity
Types of Data Most Often Exposed (from NetDiligence Claims
Study, 2013)
PII – Personally Identifiable Information (33% of Events)
PHI – Protected Health Information (27% of Events)
Credit/Debit Card Information (19% of Events)
Causes of Loss (from NetDiligence Claims Study, 2013)
Hacker – External (21% of Events) BUT accounted for 97% of records exposed
Lost/Stolen Laptop or Device (21% of Events)
Malware/Virus (19% of Events)
Claim Activity
Industries Impacted (from NetDiligence Claims Study, 2013)
• Healthcare (29% of Events)
• Financial Services (15% of Events)
Average Costs
• Average Costs
• Event Management: $346,000 (from NetDiligence Claims Study, 2013)
• Cost per record: $5.22 (from NetDiligence Claims Study, 2013) to $188
(Ponemon Cyber Study - 2013)
• Financial impact per incident: $3.5 million (from NetDiligence Claims Study, 2013)
Claims Example – Hacker
Insured provides medical and travel assistance in 70 countries
Works with governments, business, NGOs
Over 5 day period, insured’s systems compromised
Insured was advised by external security firm monitoring hackers’ websites
A month later, another breachClaims Example – Rogue Employee
Insured is multinational bank
Snr Financial Analyst at insured’s subprime lending division downloaded over 2
million records
Sold 20,000 customer profiles each week for $500 each
Notification required to over 10 million people
42 class actions
Total loss to insured USD 40m
Claims Example - Hacker
Large US retailer
December 2013 breach
Insured found out from Secret Service
Malware discovered on 43,745 point of sale terminals
Over 20 day period, malware exposed credit and debit card info (including PINs) of 40m customers
Subsequent discovery that hackers accessed customer info database, accessing personal information for an additional 70 million customersRegulatory Landscape
46 states have notification requirements
SEC – 2011: “Guidance” that companies should voluntarily disclose their cyberexposure and how it is addressed; goal is disclosure of “material” information that would be of interest to an investor
Executive Order issued by the Obama Administration in February 2013
European Union (EU) Cyber Security Directive – 2015(?)
UK Information Commissioner
Global Awareness and Concern
A single data breach could lead to legal and regulatory action in more thanNotify, Notify, Notify
Variety of 1st and 3rd party coverage available but notify to take advantage:
Event Management (manage and mitigate)
Use of a breach coach
Notification expenses
Forensic investigation (evaluate location of servers and data subjects)
Public relations consultant
Credit monitoring service
Identity theft insurance
Business Interruption
Beware Knock on Activity
Target
More than 70 class action lawsuits filed on behalf of consumers and others
Revenue downturn and loss of prospective clients
Investigation by DOJ and Secret Service
At least two shareholder derivative suits against D&Os
Breach of fiduciary duty and waste of corporate assets
Breach of fiduciary duty, gross mismanagement, waste of corporate assets
A Claim – Before and After
Before
Recognize data is at risk and have a plan in place.
After
First need to know you had or have a breach.
Report of lost laptop (because Human Error is an element in 75%+ of breaches)
Log files show unauthorized access - OR
As is the case with 86% of breaches it is discovered/reported by a third party
The ‘Real’ After Companies fall into three groups:
Overreact and make public statements without facts
Underreact and wait days/weeks to act
Mid-Afternoon Break
Impact of Proposed European Data Protection
Reforms begins at 15.15
Impact of Proposed
European Data
Impact of Proposed European Data
Protection Reforms
Bridget Treacy
Partner
Hunton & Williams Moderator
Impact of Proposed European Data
Protection Reforms
• Bridget Treacy, Partner, Hunton & Williams
• Jamie Bouloux, Cyber Liability Manager, Europe, AIG • John Bowman, Head of International Data Protection &
Policy, UK Ministry of Justice
• Mark Deem, Partner, Edwards Wildman Palmer UK • Jyn Schultze-Melling, Chief Privacy Officer, Allianz
Jamie Bouloux
AIG
Impact of Proposed European Data
Protection Reforms
John Bowman UK Ministry of Justice Mark Deem Edwards Wildman Jyn Schultze-Melling Allianz Bridget Treacy Hunton & WilliamsGovernment Cyber
Government Cyber Security
Frameworks
Ben Beeson
Global Technology and Privacy Practice Partner
Lockton Moderator
• Ben Beeson, Partner, Global Technology and Privacy Practice, Lockton
• Gerald Ferguson, Partner, BakerHostetler
• Mark Fishleigh, Director, Financial Services Practice, BAE Systems
• Russell Price, Chairman, Continuity Forum
• Sarah Stephens, Head of Cyber & Commercial E&O, EMEA, Aon
Government Cyber Security
Frameworks
Gerald Ferguson BakerHostetler Mark Fishleigh BAE Systems Russell Price Continuity Forum Sarah Stephens Aon Ben Beeson Lockton
Government Cyber Security
Framework
Tom Ruggieri
CEO Advisen Moderator
The View from the Top
• Tom Ruggieri, CEO, Advisen• Warren Downey, Head of Risk Practice Business, Member of the Board, JLT Specialty Markets
• Matthew Fairfield, Founder and Chief Executive Officer, ANV Holdings BV
• Philippe Gouraud, Head of Client Management Group and Global Risk Solutions, EMEA, AIG
• Richard Hodson, Head of Technology, Oval Insurance Broking Limited
Warren Downey JLT Philippe Gouraud AIG Richard Hodson Oval Insurance Tom Ruggieri Advisen
The View from the Top
Matt Fairfield