Activity 2-unit 2-update 2024. English translation
FORUM 2013 Cyber Risks - not just a domain for IT
1. Cyber Risks – Not Just a Domain for IT
The Evolving Threat to Companies in Europe and Risk Transfer
Tracie Grella
Global Head of Professional Liability
AIG Property Casualty
1
2. Client Perception
How Concerned are you about this type
of risk for your company?
1
Cyber Risks
86%
2
Loss of Income
82%
3
Property Damage
80%
4
Workers Compensation
78%
5
Utility Interruption
76%
6
Securities and Investment Risk
76%
7
Auto/Fleet Risk
65%
All audiences agree:
Clients who believe
human error is a
significant source
of cyber risk
74%
Hackers are the
primary
source of cyber
threats
82%
IT is difficult to
keep up with cyber
threats because
they are evolving
so quickly
80%
8/10/2013
2
3. Cyber Crime Attacks
43%
of organizations in the
EuroZone experienced more
than 3 attacks
65%
of companies across 62 countries
are extremely concerned about
cyber attacks
Causes of a Data Breach
•
Top banks in the UK claims that
cyber attacks now represents a
major threat to their stability
Cyber Trends
•
•
4 of 5
•
Threat Actions: Hacking 52%, Social Tactics 29%
Threat Agents: Organized Crime 52%, State
Sponsored 19%, Insiders 14%
50% of insiders who committed sabotage were former
employees taking advantage of security that was not
disabled
(Verizon Data Breach Report 2013 and AIG)
•
•
•
70% of breaches were spotted by an external party,
9% were spotted by customers
76% of network intrusions exploited week or stolen
credentials
Claim volume up by 67% in 2012 and 71% in 2013
(AIG)
Only 20% of middle market and large organizations
purchase cyber (AIG)
(Verizon Data Breach Report 2013)
DLA Piper CIO Daniel Pollick
“There has been a change in atmosphere in the past 18
months. Governments are taking cyber security more
seriously and are pushing it to the top of business agendas”
3
4. Country Exposure
Italy:
16,456 hacks against
organizations in 1st
half of 2013, up 57%
from same time
last year
UK: Cost of Cyber Crime is
£27bn
Belgium:
Cost of Cyber
Crime EUR5bn
• Cost to UK Business estimated
£21bn
• Average cost of resolving a data
breach is £2.04m
• Ireland: 37 breaches in 2012 with
68 over last 3 years
Russia: number
of cyber crimes
grew 33% in
2012
8/10/2013
Germany:
Cost to German
business
EUR43bn
• Scotland: total cost of cyber
Crime is £5bn every min lose
£158
4
5. Business Enterprise Risk
Typical Hourly Cost of Downtime by Industry (in US Dollars)
The
6.48 million
Brokerage Service
Accounting
Employees can’t access systems
Energy
2.8million
Consumers can’t access your product
Telecom
2.0You disrupt a 3rd party’s supply chain
million
Manufacturing
million
1.6Unexpected costs
Typical Hourly Cost of Downtime by Industry (in US Dollars)
Brokerage
RetailService
Energy
Telecom
Healthcare
Manufacturing
Retail
Healthcare
Media
Media
6.48 million
2.8million
2.0 million
1.6 million
1.1 million
636,000
Reputation damage
1.1 million
Stock drops
636,000
Investigations
90,000
90,000
*Source: Network Computing, the Meta Group and Contingency Planning Research
*Source: Network Computing, the Meta Group and Contingency Planning Research
8/10/2013
5
6. Business Enterprise Risk
Employees can’t access systems
• Down for an extended period
Consumers can’t access your product
• Loss in Net sales
• Infrastructure
• Breach of service agreements
Reputation Damage
• Cost to your Brand
• Consumer churn
• Loss of contracts or other business
opportunities access systems
Employees can’t
• Business lost to competitors
•Coupons and discounts product
Consumers can’t access your
You disrupt a 3rd party’s supply chain
• Inability for upstream production or delivery
• Legal Penalties for breach of contractual obligations
Stock drops a 3rd party’s supply chain
You disrupt
• Average stock drop related to a cyber
event 5%
Typical Hourly Cost
Unexpected of Downtime by Industry (in US Dollars)
costs
Brokerage Service continuation costs million
6.48
• Business
2.8million
• Energy
Critical computer components damaged
• Telecom
Re-uploading and patching of system critical
2.0 million
software
Manufacturing
1.6 million
• Retail
Replacing lost or destroyed data sets
1.1 million
Investigations
Reputation damage
•Own internal
• Regulatory
Stock drops
•Shareholder Discovery
Healthcare
Unexpected costs
Investigations
636,000
Media
The Accounting
90,000
*Source: Network Computing, the Meta Group and Contingency Planning Research
8/10/2013
6
7. How Insurance Can Respond
FINES
PRE BIND
SOLUTIONS
INCIDENT /
BREACH
INVESTIGATION
NOTIFICATION
FORENSICS
LEGAL / PR
8/10/2013
7
8. How Insurance Can Respond
FINES
PRE BIND
SOLUTIONS
Awareness & Education
Loss Mitigation Tools
INCIDENT /
BREACH
INVESTIGATION
NOTIFICATION
FORENSICS
LEGAL / PR
8/10/2013
8
9. How Insurance Can Respond
FINES
PRE BIND
SOLUTIONS
INCIDENT /
BREACH
INVESTIGATION
NOTIFICATION
FORENSICS
Cyber Extortion
Business Interruption
Crisis Management
Loss of Clients
Stock Drop
LEGAL / PR
8/10/2013
9
10. How Insurance Can Respond
FINES
PRE BIND
SOLUTIONS
INCIDENT /
BREACH
INVESTIGATION
NOTIFICATION
FORENSICS
LEGAL / PR
8/10/2013
Costs to Identify Exposed Records
Contain the Breach
Restore Data
10
11. How Insurance Can Respond
FINES
PRE BIND
SOLUTIONS
INCIDENT /
BREACH
INVESTIGATION
NOTIFICATION
FORENSICS
Breach Coach and Legal Defense
LEGAL
8/10/2013
Legal Costs to Aid Victims of ID Theft
11
12. How Insurance Can Respond
Austria
Germany
Norway
FINES
PRE BIND
SOLUTIONS
Spain
• Mandatory
Notification
Telecomm
• Countries
INCIDENT /
BREACH
INVESTIGATION
Voluntary Notification
Regulators
FORENSICS
NOTIFICATION
Individuals
Credit Monitoring
8/10/2013
LEGAL / PR
12
13. How Insurance Can Respond
FINES
PRE BIND
SOLUTIONS
3rd Party Liability
INCIDENT /
BREACH
INVESTIGATION
Shareholders
Client
Regulatory
NOTIFICATION
FORENSICS
LEGAL / PR
8/10/2013
13
14. How Insurance Can Respond
Administrative
FINES
Industry Standards
PRE BIND
SOLUTIONS
PCI
INCIDENT /
BREACH
INVESTIGATION
NOTIFICATION
FORENSICS
LEGAL / PR
8/10/2013
14
15. Cyber risks – not just a domain for IT
October 1, 2013
Kevin P. Kalinich, J.D.
Global Practice Leader – Cyber Insurance
Aon plc
Kevin.Kalinich@aon.com
8/10/2013
15
16. Cyber Insurance Outline
•
2013 Evolving Trends
o Financial Statement
Impact
o Board of Directors Issue
o All Industries Impacted
•
Cyber Risk Identification
o Classify, Qualify &
Quantify
•
Risk Mitigation
•
Existing Insurance Policy Gap
Analysis
8/10/2013
16
17. 2013 Evolving Trends
•
•
•
•
EU Organizations increasing reliance on
Hacker steals data of 2 million Vodafone Germany
evolving technologies
clients
o Mobile (including payments)
British police arrest eight over cyber theft at Barclays
o Cloud Computing
o Social Media
o Data Analytics (“Big Data”)
o Third Party Vendor Issues
Payment Card Industry Data Security Standards:
Fines & Penalties
Data transfers to US in wake of NSA
Cyber Risks Financial Statement Impact
o Actuarial Modeling
o Board of Directors Liability?
Managing Cyber Security as Business Risk:
Cyber Insurance in the Digital Age (August 2013:
http://assets.fiercemarkets.com/public/newsletter
/fiercehealthit/experian-ponemonreport.pdf)
http://www.emwllp.com/news/confidentialinformation-theft-cases-reach-record-high/
Aon Risk Solutions EMEA
Proprietary & Confidential |
17
21. Proprietary Cyber Risk Discovery Process
Procurement
Process
Vendor
Diligence
Limitation of
Liability
Cloud
Customized
Ongoing
Services
New Products
and/or
Services
Quality
Controls
Employee
Training
Contract
Management
Dispute
Risk
Transfer
Resolution
Needs
Diagnostic
Program Design &
Marketing
Content
development/
clearance
Intellectual
Property
Review
Aon Risk Solutions EMEA
Proprietary & Confidential |
Data Risks
Privacy
Policy
Security
Controls
Data
Breach
Response
Plan
21
22. Cyber Risk Actuarial Analysis growing
RISK vs. UNCERTAINTY
RISK = Something you can put a
price on
(e.g. exactly 1 chance in 11 to hit
an inside straight in Texas
Hold’Em)
UNCERTAINTY = risk that is
hard to measure (e.g. Cyber
exposure frequency & severity)
“We ignore the risks that are
hardest to measure, even when
they pose the greatest threats
to our well-being”
-- Nate Silver, The Signal
And The Noise: Why So Many
Predictions Fail – But Some Don’t
Aon Risk Solutions EMEA
Proprietary & Confidential |
Review Comparable Cyber
Losses
Peer Benchmarking
Monte Carlo Simulations
Financial Impact Options
Risk Acceptance
Risk Avoidance
Risk Retention
Risk Transfer
Contractual Allocation
Cyber Insurance
Risk mitigation is key in all cases
Board of Directors Liability?????
Integrate with Enterprise Risk
Management
22
23. Risk Mitigation
•
•
•
•
•
•
•
Comprehensive Cyber Risk Mitigation Program: Need Management Support
Although IT Security & Use policies are important ----------------it is MUCH MORE THAN AN IT
SECURITY ISSUE
Engage inter-departmental coordination and cooperation
• Risk Management
• Finance/Treasury
• Legal
• Human Resources
• CIO, CPO, CISO, etc.
• IT Security
Education on Legal Exposures: train & monitor employees & all others
Ensure Compliance with Organization’s Privacy Policy regarding 3rd party Personally Identifiable
Information
Data Breach Management Policy – continuously update
Third Party Exposures
• Vendor/Supplier Management
• Contractual Considerations
• Vendor/Supplier Audits
Aon Risk Solutions EMEA
Proprietary & Confidential |
23
24. Sample 10 Questions To Ask
Question
Takeaways/Possible Conclusion
Do you have an Information Security Policy ?
Most will say yes.
If no, it would suggest a lack of awareness of the issues and therefore
would be unlikely to be ready for the product.
Is it based on any Information Security
Standard?
Ideal answer would be ISO27002 as this is well understood and recognised
by the market.
What is the Governance Structure for
management IS Risk & Controls?
Presence of a structure is an indicator of a mature organisation who
understands and is looking to manage the risks.
How do you maintain assurance of your internal
IT controls ?
If there is an indication that a robust regime in place – a free scan should be
positioned as additional assurance. No evidence is an opportunity for a free
scan, but may also indicate a high risk.
Do you use third party suppliers?
Need for the product is increased if yes; need to find out the scope of
services – if critical, need for cyber risk transfer is increased.
Do you obtain assurance of their Data/Security
Controls?
Ideal answer is yes via a recognised method i.e. SSAE 16/SAS 70 or other
auditing standard. These will be readily accepted as evidence.
What is your approach to the management of
mobile devices?
Every client will have this issue; Laptop and device encryption are key
controls. Lack of an informed response is not a good indicator.
What are your key controls to determine if are
being subject to a cyber attack?
This provides an insight to the monitoring capability of the organisation.
Most have poor levels of control unless they have outsourced a service.
Do you have a Cyber response team or plan?
Key area for extra service sales – most do not and failure to response
quickly enough drives up and final incident cost.
Have you ever needed to complete a forensic
examination of your IT equipment?
As above – often key evidence is destroyed through lack of awareness
Aon Risk Solutions EMEA
Proprietary & Confidential |
24
25. Can’t ‘traditional’ insurance help?
Property
General
Liability
Malware and
Denial-ofService attacks
do not constitute
‘physical perils’
and do not
damage
‘tangible
property’
CGL Privacy
coverage limited
to ‘publication
or utterance’
resulting in one
of traditional
privacy torts.
Unauthorized
access
exclusions.
E&O
Requires
negligence in
provision of
defined
business
activities.
Crime
Crime policies
require intent…
theft of money,
securities, or
tangible
property.
Generally
Intentional acts
and insured vs.
insured issues.
No coverage for
expensive
crisis
expenses
required by law
or to protect
reputation.
Potential Elements of Coverage in Commercial Property, General Liability, Crime, and Kidnap &
Ransom Policies
Aon Risk Solutions EMEA
Proprietary & Confidential |
25
27. Existing Insurance Policy Claims Trends
Zurich v. Sony Declaratory Judgment Action: Over 55 class action lawsuits alleging billions of dollars in damages
(Sept. 2011 new service agreement enforceable: mandatory arbitration and no class action?). Direct costs to companies
impacted by cyber breaches, such as forensics, notification, credit monitoring and public relations costs, “are basic costs
we would cover under our Zurich Security and Privacy Protection policy,” says Zurich. Then if a claim is filed, “we have a
liability coverage part that would cover the affected entity for defense costs and indemnity they have to pay out as a
result.”
State National Insurance Co. v. Global Payments April 2013 $84 Million Declaratory Judgment Action regarding
excess Professional Liability policy: Card association claims do not arise out of negligence from “professional services”
or “technology-based services”
Hartford v. Crate & Barrel and Children’s retail Stores (Declaratory Judgment Action with respect to GL Policy):
– Over 125 Class Actions in California, lead by: Pineda v. Williams Sonoma, 51, Cal.4th 524, 246 P.3rd 612 (Cal.
2011) (Zip codes are personal identification information protected by California’s Song-Beverly Act)
– Massachusetts Class Action: Tyler v. Michaels Stores, Inc., No. 1:111-cv-10920-WGY (D. Mass. Filed May 23,
2011);.
Colorado Casualty Insurance Company vs. Perpetual Storage and the University of Utah (GL Policy) -- Negligence
suit against insurance broker for not placing proper coverage
Tornado Technologies Inc. v. Quality Control Inspection, Inc. (OhioCt. App. August 2, 2012) – no negligence of
insurer for not warning insured to purchase special cyber policy
Retail Ventures v. National Union Fire Ins. (August 23, 2012) Crime Policy Endorsement Applies
Liberty v. Schnucks (August , 2013) Declaratory Judgment filed regarding General Liability policy
Aon Risk Solutions EMEA
Proprietary & Confidential |
27
28. Scope of Available Coverage
Breac
h
Mitigation
Regulator
y
Liability
• Regulatory
• Individual
• Notification
Investigations
Actions
Costs
• Consumer
• Consumer
• IT Forensics
• Online and offline
Redress Funds
Class Actions
• PR +
breaches
• Civil Penalties
• Suits from
Advertising
• Accidental or “rogue”
• PCI – DSS
business
• Credit
employee actions
Fines
partners
Monitoring
• Breaches caused by
• UK & EU
• Suits from
• “Turnkey”
vendors or
country specific
financial
breach
outsourcers
laws
institutions
response from
• Coverage should be customized based on the nature of the business
carrier partners
o For example, FI consumer facing businesses can face a different liability chain (see recent
ATM’s)
• Additional coverage available:
o 1st Party Business Interruption: Lost revenue due to failed network security
o Information Asset: Loss or costs associated with restoring destroyed data
o Cyber Extortion: Pays an extortion demand to a party that holds the Insured’s system or data
hostage
o Media: Content based injuries (online and may include offline)
Aon Risk Solutions EMEA
Proprietary & Confidential |
28
29. Insurance Underwriter Issues To Address
I.
Contractual Allocation of liability and hold harmless and indemnity between Insured and each of each counterparties
II.
Are all subsidiaries 100% wholly owned or are there joint ventures?
III. Does Insured comply with regulatory guidelines regarding disclosure of Cyber exposures, mitigation and risk transfer insurance
(ADR’s)?
IV. Review sample contracts from its suppliers as to allocation of liability, hold harmless and indemnity and insurance (name
Insured as “Additional Insured?”) We have set up “affinity” type programs for large players in the Financial Institutions space
where a supplier of the FI can obtain a $1 MM E & O policy for the benefit of the Insured FI
V.
Does Insured have any products or services that are protected from liability due to regulation? If so, what are the services and
products and what are the revenues compared to total revenues?
V.
Do we have a breakdown of revenue by each product/service as the exposures from each are different in both frequency and
severity?
VII.
What percentage of the products and services have been provided for over five years (at least 5 year’s worth of Loss History)?
VIII. What percentage of products and services have been provided for less than one year?
IX.
What type of internal or third party IT security assessments have been conducted? ISO 27001? SSAE 16?
X.
What is the QA process for new products and services?
XI.
What is the escalation process to approve contractual changes with customers?
XII.
What is the escalation process to address and remedy complaints from customers?
XIII.
What percentage of customers are business (B2B) vs. Individuals (B2C)?
Aon Risk Solutions EMEA
Proprietary & Confidential |
29
31. LIMITING THE IMPACT OF CYBER INCIDENTS
Presented by Ben Van Erck
EMEA RISK team
PID#
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
33. Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
33
34. UNDERSTANDING THE WHO
VARIED MOTIVATIONS
VARIED TACTICS
• Aim is to maximize disruption
and embarrass victims from
both public and private sector.
• Use very basic methods and are
opportunistic.
• Rely on sheer numbers.
• Motivated by financial gain,
so will take any data that might
have financial value.
• More calculated and complex in
how they chose their targets.
• Criminals are now trading
information for cash.
• Often state-sponsored.
• Driven to get exactly what
they want, from intellectual
property to insider information.
• Often state-sponsored, use most
sophisticated tools to commit
most targeted attacks.
• Tend to be relentless.
Confidential and proprietary materials for for authorized Verizon personnel and outside agencies only. Use, disclosure distribution of this material is notnot permitted any unauthorized persons or third parties except by by written agreement.
Confidential and proprietary materials authorized Verizon personnel and outside agencies only. Use, disclosure or or distribution of this material is permitted to to any unauthorized persons or third parties except written agreement.
34
35. ESPIONAGE
STATE-AFFILIATED
ESPIONAGE.
• STATE-AFFILIATED ACTORS PERPETRATED
19% OF ATTACKS LAST YEAR.
• TARGETS ARE NOT JUST GOVERNMENT AGENCIES,
AND NOT JUST MILITARY CONTRACTORS.
• BE AWARE OF THE “KNOCK-ON EFFECT” IN
YOUR SUPPLY CHAIN.
Confidential and proprietary materials for for authorized Verizon personnel and outside agencies only. Use, disclosure distribution of this material is notnot permitted any unauthorized persons or third parties except by by written agreement.
Confidential and proprietary materials authorized Verizon personnel and outside agencies only. Use, disclosure or or distribution of this material is permitted to to any unauthorized persons or third parties except written agreement.
35
36. DIFFICULTY OF ATTACK
Confidential and proprietary materials for for authorized Verizon personnel and outside agencies only. Use, disclosure distribution of this material is notnot permitted any unauthorized persons or third parties except by by written agreement.
Confidential and proprietary materials authorized Verizon personnel and outside agencies only. Use, disclosure or or distribution of this material is permitted to to any unauthorized persons or third parties except written agreement.
36
37. WHAT TO WORRY ABOUT
THIS YEAR’S BIGGEST THREATS?
SAME AS LAST YEAR’S.
• Very few surprises, mostly variations on theme.
• 75% of breaches were driven by financial motives.
• 95% of espionage relied on
plain old phishing.
• Well-established threats
shouldn’t be ignored.
Confidential and proprietary materials for for authorized Verizon personnel and outside agencies only. Use, disclosure distribution of this material is notnot permitted any unauthorized persons or third parties except by by written agreement.
Confidential and proprietary materials authorized Verizon personnel and outside agencies only. Use, disclosure or or distribution of this material is permitted to to any unauthorized persons or third parties except written agreement.
37
38. WHAT TO WORRY ABOUT
WHAT DO ATTACKERS TARGET?
STILL THE TRADITIONAL ASSETS.
• The weak links haven’t changed much:
–Desktops 25%
–File servers 22%
–Laptops 22%
• Unapproved hardware accounts
for 43% of misuse cases.
Confidential and proprietary materials for for authorized Verizon personnel and outside agencies only. Use, disclosure distribution of this material is notnot permitted any unauthorized persons or third parties except by by written agreement.
Confidential and proprietary materials authorized Verizon personnel and outside agencies only. Use, disclosure or or distribution of this material is permitted to to any unauthorized persons or third parties except written agreement.
38
39. ATTACK VELOCITY
QUICK TO COMPROMISE
• In 84% of cases, initial compromise took hours or less.
Confidential and proprietary materials for for authorized Verizon personnel and outside agencies only. Use, disclosure distribution of this material is notnot permitted any unauthorized persons or third parties except by by written agreement.
Confidential and proprietary materials authorized Verizon personnel and outside agencies only. Use, disclosure or or distribution of this material is permitted to to any unauthorized persons or third parties except written agreement.
39
40. DETECTION VELOCITY
QUICK TO COMPROMISE
SLOW TO DISCOVERY
• 66% of breaches went undiscovered for months…
… Or even years.
Confidential and proprietary materials for for authorized Verizon personnel and outside agencies only. Use, disclosure distribution of this material is notnot permitted any unauthorized persons or third parties except by by written agreement.
Confidential and proprietary materials authorized Verizon personnel and outside agencies only. Use, disclosure or or distribution of this material is permitted to to any unauthorized persons or third parties except written agreement.
40
42. INCIDENT RESPONSE PLAN
IT’S NOT ABOUT THE PLAN,
IT’S ABOUT THE PLANNING!
• Develop an IR plan (people, process, technology)
• Mock incident testing
– Table-top
– Fake incident
– Red vs Blue team
• Most important step in your IR process: learning from mistakes (yours and other people’s)
• Stakeholders
• Decision makers
Confidential and proprietary materials for for authorized Verizon personnel and outside agencies only. Use, disclosure distribution of this material is notnot permitted any unauthorized persons or third parties except by by written agreement.
Confidential and proprietary materials authorized Verizon personnel and outside agencies only. Use, disclosure or or distribution of this material is permitted to to any unauthorized persons or third parties except written agreement.
42
43. Additional Information
• Download DBIR – www.verizonenterprise.com/dbir
• Learn about VERIS - www.veriscommunity.net and
http://github.com/vz-risk/veris
• Explore the VERIS Community Database:
http://public.tableausoftware.com/views/vcdb/Overview and learn
more about this data http://veriscommunity.net/doku.php?id=public
• Ask a question – DBIR@verizon.com
• Read our blog - http://www.verizonenterprise.com/security/blog/
• Follow on Twitter - @vzdbir and hashtag #dbir
43