Assessing your Cyber Risk A Real Life Case Study Presented by: Liz - - PowerPoint PPT Presentation

Assessing your Cyber Risk

A Real Life Case Study

Presented by: Liz Limjuco, Marsh Mike Paulino, CSG International Cindy Stevens, Colorado Springs Utilities

Agenda

• What is Cyber Insurance
• Overview of Cyber Risk
• Quantifying Cyber Risk
• CSG Case Study
• Colorado Springs Utilities

1

March 22, 2017

2

Cyber Insurance

Coverage Description Covered Costs

First Party Cover

1st Party Insurance coverage: direct loss and out of pocket expense incurred by insured Business Income/ Extra Expense Interruption or suspension of computer systems due to a network security

• breach. Coverage may be added to

include system failure.

• Loss of Income
• Costs in excess of normal operating expenses

required to restore systems

• Dependent business interruption
• Forensic expenses

Data Asset Protection Costs to restore, recreate, or recollect your data and other intangible assets that are corrupted or destroyed.

• Restoration of corrupted data
• Vendor costs to recreate lost data

Event Management Costs resulting from a network security

• r privacy breach:
• Forensics
• Notification
• Credit Monitoring
• Call Center
• Public Relations
• Sales Discounts

Cyber Extortion Network or data compromised if ransom not paid

• Forensics
• Investigation
• Negotiations and payments of ransoms demanded

Third Party Cover

3rd Party insurance coverage: defense and liability incurred due to harm caused to

• thers by the

insured. Privacy Liability Failure to prevent unauthorized access, disclosure or collection, or failure of

• thers to whom you have entrusted such

information, for not properly notifying of a privacy breach.

• Liability and defense
• Third party trade secrets
• Notification to individuals
• Investigation costs
• Costs related to public relations efforts
• Sales Discounts

Network Security Liability Failure of system security to prevent or mitigate a computer attack. Failure of system security includes failure of written policies and procedures addressing technology use.

• Liability and defense
• Bank lawsuits
• Consumer Lawsuits
• Sales Discounts

Privacy Regulatory Defense Costs Privacy breach and related fines or penalties assessed by Regulators.

• Investigation by a Regulator
• Liability and Defense costs
• PCI / PHI fines and penalties
• Prep costs to testify before regulators
• Consumer / Bank lawsuits

Cyber Insurance Key Insurance Coverages

4

Cyber Insurance Marketplace

Capacity

$1.3B in notional capacity, heavily domiciled in the US. Large towers are typically $200-$500M. Common primary markets: AIG, XL, Zurich, Lloyds.

Coverage

Enhancements have been introduced to address the needs of more industrial

• customers. E.g. system

failure, business interruption.

Appetite

Underwriting process is increasingly thorough. Tech E&O and manufacturing remain favorable classes for many insurers.

Retentions

For organizations >$1B in revenue, retentions >$1M often lead to full limits across all insuring

• agreements. Increasing

retentions leads to nominal premium savings.

Pricing

Premium is heavily dependent on industry, security controls, limitations of liability within contracts, retention level, coverage requests, and loss history.

Liability to Customers and Key Vendors Fines and Assessments by Payment Card Industry Regulatory Scrutiny Notification Requirements Supply Chain

Cyber Risk An Evolving & Headlining Risk for Organizations

Defining Your Risk How Is Cyber Risk Impacting Your Organization?

Regulatory Compliance

What are you doing to mitigate risk at each touch point across your third party suppliers/providers? What changes have you made recently in how you manage and protect sensitive data?

Leading Cyber Risks… Operational Disruption Employee Exposures

What are you doing to protect key employee or prospective employee information? How has this impacted your ability to recruit or retain talent?

Lawsuits and Reputational Harm

Do you have a response plan in the event of a breach? How are you mitigating the potential damage?

Defining Your Risk Impact Across The Organization

Cyber is not just an IT issue. It is an enterprise risk that impacts many key stakeholders within your

• rganization.

8

Potential Threat Environment

Quantifying Cyber Risk Key Question to Address

9

• Identifying current and developing exposures
• Identifying gaps in cyber practices and coverage
• Designing programs that to manage cyber risk effectively
• Communicating findings to key decision makers

Quantifying Cyber Risk A Risk Based Approached To Assess Cyber Exposures

Understand Your Potential Areas Of Risk Undertake A Risk Assessment Risk Transfer and Loss Funding Options Developing Underwriting Information

• Consider organization’s

internal and external business environment

• Examine current systems,

practices and controls for monitoring, reporting and response, with regards to cyber-related risks

• Articulate organization’s

cyber risk appetite ‒ Use risk consequence criteria/levels of impact

• Include a variety of

personnel across business, including: ‒ Key business assets and critical information systems ‒ Information system/security, legal and risk personnel

• For each cyber loss

exposure considered, identify potential scenarios of threat sources and risk drivers

• Assess effectiveness of

current controls and practices in place to manage each threat source and risk driver

• For identified threat

sources and risk drivers, confirm available contractual risk transfer and loss funding options

• Undertake analysis of

expected first- and third- party insurance policy response to each risk event/scenario

• Enlist help from
• rganization’s insurance

broker as needed

• For non-insurance key risk

events: ‒ Review vulnerabilities they cause ‒ Develop strategies and initiatives to improve systems and controls

• Provide information

amassed during previous steps to the insurance

• market. This will help:

‒ Cyber insurance market underwrite on an informed basis ‒ Organization’s insurance broker negotiate best available cyber insurance policy cover, limits, pricing and terms

10

Source: Marsh Analytics

Quantifying Cyber Risk Using Analytics As Part of the Risk Decision

11

What do we need to be concerned about? How much retained risk is appropriate for the company? What is the potential risk and volatility and how much could it cost the company? Are we protected and do we have

• ptimal

programs in place? Does my retained risk sit in the appropriate vehicle? Are we doing everything we can to manage, prevent or mitigate losses? Are we minimizing administrative costs? Are we capturing the right data about risks and losses efficiently?

 Claims Benchmarking  Data Management  Risk Management

Information Systems

 Leakage Audit  TPA Performance

Assessment on WC Medical Costs

 Collateral Solutions  Claims Inventory

Management

 Claims Advocacy  Workforce Strategies & Safety  Loss Control  Captive Solutions  Qualified Self

Insurance

 Benchmarking  After Insurance Loss

Simulation

 Loss Projection Model  Cyber Modeling  Risk Tolerance  Risk Bearing Capacity  Enterprise Risk Management  Risk Maps RISK MANAGER

RISK TRANSFERRED CONSIDERATIONS RISK RETAINED CONSIDERATIONS RISK IDENTIFICATION

CSG INTERNATIONAL

12

Quantifying Company Specific Risk

• Personal info vs payment info vs health info elements
• Discussions with company CISO and/or IT groups will help determine the most

likely targets and scenarios – Ask questions to determine the maximum probable loss in terms of record count – How is company data separated?

• Even if you don’t think you are a likely target, you probably have customers or

suppliers that are – Target’s data was hacked through a vendor – The “rogue employee” situation could happen to any company

13

Quantifying Company Specific Risk

• Narrowing the range for company specific breach costs is the key to determining

appropriate limits and gaining executive buy-in for those limits

• Pre-negotiate breach remediation costs with vendors before a cyber event occurs
• Apply company specific information to breach cost models
• Discuss your company’s unique situation with your broker in order to customize

the cyber model

14

Non Insurance Mitigation

• Re-visit record retention policy

– Purge records as soon as reasonable – Ensure that records are actually being purged according to policy

• Does your organization have a cyber breach play book?
• Are there controls that could help prevent the rogue employee scenario?

15

Obtaining Executive Buy-In

• Doomsday event is not probable and is never completely insurable
• Present maximum probable loss examples with information gathered in data

evaluation – Maximum probable loss exercise should be the basis for decisions

• Highlight any non insurance risk mitigation strategies as action items

16

17

Cyber Liability Insurance Issues

• Property

– Does your property policy cover damages for resultant damages caused by a cyber event?

• Crime

– Social Engineering Endorsement –Is your sublimit too low? – Phishing, Employee sending a wire transfer “in error”

• Cyber Liability – Is your sublimit for Forensics too low?

– Average cost of a breach ~$675K* – 78% (~$525K) Forensics, legal, and notification

• Is “Notification” sublimit, of % of total limit??

18

* Source: NetDiligence/Actual Claim “Intelligence”

Cyber Liability Insurance Issues for Utilities

• Likely Targets:

– An August 2016 report from the U.S. Department of Energy cites a survey that said power companies and utilities around the world expressed in 2015 a six- fold increase in the number of "detected cyber incidents" over the previous

• year. Example Ukraine/BlackEnergy

– Additional Utility Data Risks:

Smart Meters and Big Data Deployment of updated Industrial Control Systems

19

Infrastructure Attack Scenario – Ukraine/Black Energy

• Utility company’s operational SCADA and Industrial Control Systems (ICS) are

penetrated via a spear-phishing campaign which successfully targets key utility personnel with supervisory access to vital control systems. Access is gained when a utility employee mistakenly opens a link in an email which appears to be from a supervisor – with access to key SCADA and ICS systems inside the utility’s

• perational network, the malware uploaded is able to gain control of key

generation, transmission and distribution infrastructure, causing system-wide alerts, shutdowns, and malfunctions, and potentially significant operational equipment damage. Significant losses are incurred before the attack is detected, neutralized and the network is restarted to bring critical components back online.

• Unauthorized intrusion disconnected 7 substations (110 kV) and 23 (35 kV)

substations leading to an outage for 80,000 customers, at multiple regional Ukrainian utilities.

• How Neutralized? Manual shutdowns (not possible in US/EU, SCADA-driven)

20

Cyber Liability Insurance Issues for Utilities

• Ransomware Example – Does your policy allow payment in “Bitcoin”?

– Lansing, Michigan Board of Water and Light paid a $25,000 ransom in 2016 to unlock its internal communications systems after the April 25 cyber attack shut down its accounting and e-mail systems. This ransom was paid via Bitcoin, a form of digital currency. Officials said the attack occurred after an employee unknowingly opened an e-mail with an infected attachment.*

Estimated cost: $1,900,000, AIG cyber insurance carrier

*Eric Lacy , Lansing State Journal Published March 8, 2017

• Water Quality, Failure to Supply - Lack of Water, Lack of Power – Replacement

Purchased Power Options

21

Q&A

22