Cyber risk and insurance Dr. Katsiaryna (Kate) Labunets Safety and - - PowerPoint PPT Presentation

cyber risk and insurance
SMART_READER_LITE
LIVE PREVIEW

Cyber risk and insurance Dr. Katsiaryna (Kate) Labunets Safety and - - PowerPoint PPT Presentation

May 01, 2023 353 likes •831 views

Cyber risk and insurance Dr. Katsiaryna (Kate) Labunets Safety and Security Sciences group TPM, TU Delft E: k.labunets@tudelft.nl 1 Outline Who am I? Definitions Motivation Cyber insurance market: Current practice

slide-1
SLIDE 1

1

Cyber risk and insurance

  • Dr. Katsiaryna (Kate) Labunets

Safety and Security Sciences group TPM, TU Delft E: k.labunets@tudelft.nl

slide-2
SLIDE 2

2

Outline

  • Who am I?
  • Definitions
  • Motivation
  • Cyber insurance market: Current

practice

– Questions to audience

  • Challenges for cyber insurance
  • CYBECO project
slide-3
SLIDE 3

3

  • Dr. Katsiaryna (Kate) Labunets

MSc in Mathematics

Belarusian State University, Minsk, Belarus 2004 - 2010

Business Systems Analyst

Outsourcing software development company in Minsk, Belarus 2008 - 2011

PhD Candidate in ICT

University of Trento, Italy Nov 2011 - April 2016

Postdoc in Empirical Security

DISI, University of Trento, Italy June 2016 - May 2017

Postdoc in Cyber Insurance

TBM, TU Delft, Netherlands June 2017 - Present

slide-4
SLIDE 4

4

Definitions

slide-5
SLIDE 5

5

Definitions [1/2]

  • Risk is the likelihood of an incident and its impact for an

asset (e.g., organizational processes, functions, reputation).

  • Cyberspace is the complex environment resulting from

the interaction of people, software and services on the Internet, supported by worldwide distributed physical information and communications technology (ICT) devices and connected networks. [ISO 27032]

Cyberspace + Risk = Cyber Risk

  • Risk mitigation strategies: reduce; avoid; transfer;

accept the risk.

slide-6
SLIDE 6

6

Definitions [2/2]

  • Cyber insurance (CI) is "protection against losses

related to cyber risks, such as data theft/loss, business interruption caused by a computer malfunction or virus, and fines or lost income because of system downtime, network intrusion and/or information security breaches" [Gartner, 2015].

Gartner, “Five Tips for Companies Considering Cyber Insurance,” 2015. Available: http://blogs.gartner.com/john-wheeler/five-tips-for-companies- considering-cyber- insurance/

slide-7
SLIDE 7

7

WEF, "Global Risks Interconnections Map 2017", https://goo.gl/P5bkrk

slide-8
SLIDE 8

8

WEF, "Global Risks Interconnections Map 2017", https://goo.gl/P5bkrk

slide-9
SLIDE 9

9

WEF, "Global Risks Interconnections Map 2017", https://goo.gl/P5bkrk

slide-10
SLIDE 10

10

Lloyd's, “Counting the cost: cyber exposure decoded”, 2017. https://goo.gl/fSFq9B

Extreme cyber-attack could cost as much as Superstorm Sandy in 2012: $53bn of economic losses

Cost of cyber incidents

slide-11
SLIDE 11

11

Equifax hack

slide-12
SLIDE 12

12

Ransomware attacks

  • Wanna Cry (2017): within a day 230 000 Microsoft

computers were infected in 150 countries (ransom to be paid in bitcoin crypto currency)

  • Petya/notPetya (2016-2017): container terminal
  • f Maersk in port of Rotterdam stopped to function

among others

slide-13
SLIDE 13

13

Advisen, “Information Security and Cyber Liability Risk Management”, 2015. http://bit.ly/1M9Gyp0

Demand is growing

Cyber insurance demand

slide-14
SLIDE 14

14

Cyber insurance market: Current practice

  • How insurers underwrite cyber risks?
  • How many people actually read policies?
  • What are the selling points for customers?
  • When would you advise client to buy a cyber

insurance?

slide-15
SLIDE 15

15

Cyber insurance challenges [1/2]

  • Dealing with intelligent adversaries and

intentionality

– Not well covered in standard cyber risk management

  • Lack of data about cyber attacks

– new regulations are coming (in 2018)

  • General Data Protection Regulation (GDPR)
  • Directive on security of network and information

systems (NIS) – alleviate by using Structured Expert Judgment

  • Difficult to quantify cyber risk

– There are too many factors – Dynamic nature of cyber risk

slide-16
SLIDE 16

16

Cyber insurance challenges [2/2]

  • Cyber insurance fraud

– It is hard to discover the origin of cyber attack

  • Interdependent security

– A majority of clients in an insurer’s portfolio could be affected by the same attack – Cyber insurance catastrophe

  • Moral hazard

– Insured companies may change their behaviour regarding investments in company’s security

slide-17
SLIDE 17

17 17

CYBECO project

slide-18
SLIDE 18

18

Project details

  • Title: Supporting Cyberinsurance from a

Behavioural Choice Perspective

  • Duration: May 2017 - April 2019 (2 years)
  • Program: H2020
  • 7 partners: Greece, Netherlands (TU Delft), UK,

Spain, Luxembourg, France (AXA)

slide-19
SLIDE 19

19

How CYBECO helps? [1/2]

  • Understand better how the CI ecosystem works

in practice

– key driver behind decision making process when insureds buy CI, – behavioural aspects in CI ecosystem (e.g., how company's behaviour changes when they have a CI) .

  • Identify possible gaps in the key directives,

standards and services in order to improve CI practice.

slide-20
SLIDE 20

20

Insurer Agent Expert

Cover losses due to cyber risk Collect necessary data Provide results

Security provider Threat Reinsurance provider Sector regulator

S e c u r i t y s e r v i c e s f

  • r

i n s u r e r a n d i t s c l i e n t s Provide security services Compliance with regulations Pay premiums Damage or steal company's assets Cover part of insurer's clients losses Request for a specific expertise

Insurance regulator

Compliance with regulations Invest in security

Policymaker

Interests of companies Interests of insurers

Client

Provide product/service Interests of clients Policy changes

Researchers

Research results, policy recommendations Provide product/service

Vendor

slide-21
SLIDE 21

21

How CYBECO helps? [2/2]

  • Provide a tool support for security risk

management with

– new mathematical models that incorporate CI, – behavioural nudges in cyber security and insurance.

slide-22
SLIDE 22

22

Want to join us?

  • We are looking for

collaboration

  • More information:

www.cybeco.eu k.labunets@tudelft.nl

RESEARCH

slide-23
SLIDE 23

23

The structure of CYBECO goals

Insurance contracts Risk generation Risk transfer Risk assessment Risk reduction Choice behaviour

  • f insurance

companies Choice behaviour

  • f cyber threats

Choice behaviour

  • f IT owners
slide-24
SLIDE 24

24

Cyber insurance ecosystem

slide-25
SLIDE 25

25

RQ1: How CI ecosystem works [1/3]

  • [RQ1.1] What are the key (behavioural) drivers for

buying CI?

– Initial interview + a large scale survey with two groups

  • f companies:
  • already bought CI
  • failed to buy CI (i.e. they considered this option)
slide-26
SLIDE 26

26

IT company

Everybody has a cyber insurance Company may lose money or reputation Do you want to buy a cyber insurance? Somebod y might go to jail

?

Cyber insurance policy Cyber risk

Decision

slide-27
SLIDE 27

27

RQ1: How CI ecosystem works [2/3]

  • [RQ1.2] What are the relations between risk

level, client's behavior, CI policy and premiums?

– Agent based modeling (ABM)

slide-28
SLIDE 28

28

ABM for Cyber Security [1/2]

MSc thesis: "The Vulnerability Ecosystem: Exploring vulnerability discovery and the resulting cyberattacks through agent-based modelling" by Y. Breukers

slide-29
SLIDE 29

29

ABM for Cyber Security [2/2]

slide-30
SLIDE 30

30

RQ1: How CI ecosystem works [3/3]

  • [RQ1.3] How risk perception affects insured's

decision on buying CI?

– Behavioural experiments based on

  • prospect theory
  • protection motivation theory
slide-31
SLIDE 31

31

Prospect theory

People make decision based on the potential value of losses and gains

slide-32
SLIDE 32

32

Protection motivation theory

People protect themselves based on four factors:

a.the perceived severity of a threatening event, b.the perceived probability of the occurrence, or vulnerability, c.the efficacy of the recommended preventive behavior, d.the perceived self efficacy.

slide-33
SLIDE 33

33

RQ2: CI policy complexity

How the complexity of the policy affects insured's decision to buy CI?

Simple and cheap Complex and expensive vs.

slide-34
SLIDE 34

34

RQ2: Simple policy

HDI Global offers Internetbankierfraudeverzekering, a cyber insurance which covers the losses only from online banking fraud

Premiums Deductibles

slide-35
SLIDE 35

35

RQ2: Complex policy [1/2]

  • AIG group offers CyberEdge insurance policy that covers:

– 3rd party security and privacy claims, – network business interruption, – security failure at outsourced service provider, – electronic data incidents, – cyber extortion, – etc.

slide-36
SLIDE 36

36

RQ2: Complex policy [2/2]

Premiums Deductibles

slide-37
SLIDE 37

37

More than cyber insurance

"Insurance institutions are doing something more than transferring risk—they are actively managing the underlying risk of data breach." [Talesh, 2017]

Talesh, "Data Breach, Privacy, and Cyber Insurance: How Insurance Companies Act as “Compliance Managers” for Businesses". Law & Social Inquiry, 2017

slide-38
SLIDE 38

38

RQ3: Risk management

  • What can motivate insureds to maintain a certain

level of security?

– Premium discounts as an incentive to implement recommended security controls

  • How to link premiums reduction to security

controls to have a better risk reduction?

– Select controls that differentiate between clients (10- 70%) – Data-driven selection based on the available information about incidents and implemented (or absent) security controls

slide-39
SLIDE 39

39

RQ4: Interdependent security

  • How the implementation of a particular security

control affects the risk level of other insureds?

– Better security of one insured => higher risk level for

  • thers?

– Is the overall level of a specific risk constant to some extent? – Where to use adversarial risk models or probabilistic models

Agent-based modeling + empirical validation

slide-40
SLIDE 40

40

  • What is a cheap alternative to a thorough (and

expensive) security risk assessment?

– Questionnaire-based evaluation

  • Is it effective for cyber insurance?

– Rank insureds based on information about companies that reported security incidents

  • Do insurers have data?

– Security reputation metrics

Benchmark the alternatives on the results from the real security risk assessments

RQ5: Low-cost security evaluation

slide-41
SLIDE 41

41

Open questions

  • What is the toolbox for?
  • Who are the users of the toolbox?

– IT companies? – Insurance companies? – Both?

  • What models are needed for CYBECO toolbox?
slide-42
SLIDE 42

42

CYBECO structure

WP3 WP4 WP5 WP6 WP7 WP8 WP2 WP1 Ethics requirements

slide-43
SLIDE 43

43

Cognitive heuristics and biases

slide-44
SLIDE 44

44

Motivation [1/3]

  • Cyber risk is very different from other operational

risks [Biener et al., 2014]

Category N Mean SD Cyber risk 994 40,53 443,88 Non-cyber risk 21 081 99,65 1 160,17

Losses per risk type (in million US$)

Biener et al. "Insurability of cyber risk: an empirical analysis". Geneva Papers on Risk and Insurance: Issues and Practice, 2015.

slide-45
SLIDE 45

45

Motivation [2/3]: Market is growing

Bloomberg, "Cyber Crime Fears Drive Up Demand for Anti-Hacker Insurance".

https://www.bloomberg.com/news/articles/2017-05-09/cyber-crime-fears-drive-growing-demand-for-anti-hacker-insurance

slide-46
SLIDE 46

46

Experimental background