Cyber Risk Market Overview - fsmcaptives.fm · cyber-attacks. The majority of perpetrators are...
Transcript of Cyber Risk Market Overview - fsmcaptives.fm · cyber-attacks. The majority of perpetrators are...
20 October 2016Tokyo, Japan
Cyber Risk Market Overview
Prepared by Aon Risk Solutions
Proprietary & Confidential
FSM CICCaptive
InsuranceSeminar
Risk. Reinsurance. Human Resources2
Table of Contents
� Cyber & Captive insights
� Cyber Risk in Asia
– Tangible Asset v Intangible Asset Valuation
– Market Trends
� Cyber Risk Transfer
� Director and Officer Exposure to Cyber Liability
– The high profile lawsuits – and wins – for boards
– Protecting yourself and the entity pre-breach and post-breach and through insurance
Risk. Reinsurance. Human Resources3
2016 Aon Captive Cyber Benchmarking Survey
Source: 2016 Aon Captive Cyber Benchmarking Survey by Industry Cyber—The Fast Moving Target: Benchmarking views and attitudes by industry: http://www.aon.com/risk-services/cyber.jsp
Topics Data Holders Product Risk
Critical
Infrastructure Transportation Heavy Industry
Top Cyber RiskConcern
Post BreachBusiness Interruption
BusinessInterruption
BusinessInterruption
BusinessInterruption
BusinessInterruption
Lowest CyberRisk Concern
Bodily Injury/Property Damange
Bodily Injury/Prpoerty Damage
Data & SystemRestoratioin
Loss of IPBodily Injury/Property Damage
Use of Risk Assessment to informCoverage/limits
51% 75% 59% 70% 56%
Rationale forbuying cover
Board DueDiligence (80%)
Balance SheetProtection (58%)
Balance SheetProtection (71%)
Balance SheetProtection (64%)
Board DueDiligence (56%)
Who is buying 70% 17% 29% 33% 33%
Limits (m) USD 10-25 USD 10-25 >USD 100 USD 10-25 USD 10-25
Budgeted forCyber Cover 74% 31% 41% 9% 33%
Risk. Reinsurance. Human Resources4
Cyber Insurance For Balance Sheet Protection
Source: 2016 Aon Captive Cyber Benchmarking Survey by Industry Cyber—The Fast Moving Target: Benchmarking views and attitudes by industry:
http://www.aon.com/risk-services/cyber.jsp
“With the average estimated cost of a data breach reaching USD 3.8 million, and catastrophic
breaches resulting in cyber insurance limits losses in excess of USD 100 million, it is not surprising
that the majority of survey participants have listed balance sheet protection as the main reason
for purchasing or considering insurance to cover catastrophic exposures.”
Risk. Reinsurance. Human Resources5
Cyber Risk Impacts All Loss Quadrants
1st Party 3rd Party
Fin
an
cia
lTa
ng
ible
Cyber Loss SpectrumCyber Loss SpectrumCyber Loss SpectrumCyber Loss Spectrum
Any major cyber event will result inAny major cyber event will result inAny major cyber event will result inAny major cyber event will result in
� PR, response, and continuity costs
� Immediate and extended revenue loss
� Restoration expenses
� Defense costs
Third parties will seek to recoverThird parties will seek to recoverThird parties will seek to recoverThird parties will seek to recover
� Civil penalties and awards
� Consequential revenue loss
� Restoration expenses
Physical damage is possiblePhysical damage is possiblePhysical damage is possiblePhysical damage is possible
� 1st party property damage
� 1st party bodily injury
Physical damage may cascade to othersPhysical damage may cascade to othersPhysical damage may cascade to othersPhysical damage may cascade to others
� 3rd party property damage
� 3rd party bodily injury
Risk. Reinsurance. Human Resources6
Business Snapshot
Business Segment Brief Description
Contract Drilling
Company offers contract drilling to customers in Canada, USA, Venezuela, Argentina, Kurdistan, Libya, Oman, Gabon, Australia & New Zealand. The company offers rigs and drilling solutions to clients which are major oil & gas producers. Service offerings include: coring drilling services in support of oil sands development, well servicing and slant drilling solutions to oil sands producers’ steam-assisted gravity drainage applications etc. Click here to know more about Ensign’s ‘Contract Drilling operations’.
Directional Drilling
Drilling service offerings include: conventional directional & horizontal drilling , remote drilling, short-radius drilling, multi-well pad drilling and automated drilling rigs. Company uses state-of the –art electromagnetic and MWD technology with gamma modules while carrying out drilling operations. Click here to know more about Ensign’s directional drilling operations.
Underbalanced Drilling
Ensign offers comprehensive range of underbalanced drilling packages which include: self-contained systems with nitrogen generation, compression equipment and surface control systems. The company makes use of the technology: ‘Envision’ which through a state-of-the-art programmable logic control program controls the drilling operations. Click hereto learn more about, Ensign’s ‘Underbalanced drilling operations
Rental Equipment (Equipment Rentals)
Ensign offers rental services of equipment like: pumps, rig mats, light plants, flare tanks, Centrifuge bins, mud motors, drill collars, heavyweight drill pipe, mud cleaning equipment, gas busters etc. The rental of equipment is predominantly based out of Canada & USA. Please click here to know more about Ensign’s rental equipment segment.
Well Servicing
Service offerings include: Well completions and re-completions, Abandonment of redundant wells, Production workovers, Bottom hole pump changes, Servicing of downhole pumps / replacement of downhole components or tubulars, Sidetracking and deepening of wells, Fishing and swabbing operations, Drilling of shallow water, oil, gas or coal bed methane wells and Completion fluid filtration and conditioning. Click here to know more about Ensign’s ‘Well Servicing’ operations.
Production Services
Ensign, through ‘Production Services’ segment offers wireline services, production testing, technical and reporting, training and certifications to customers. Opsco Energy Industries Ltd, a wholly owned subsidiary of Ensign, offers slickline and braided line completion and production testing services, pressure pumping and wireline (slickline and braided line) services to customers in Western Canada Sedimentary Basin, USA & other international locations. Kindly click here to know more about Ensign’s ‘Production Services’.
Cyber Risk in Asia
Risk. Reinsurance. Human Resources
$617
$648
$0 $200 $400 $600 $800
The value of the largest loss(PML) that could result from the
theft and/or destruction ofinformation assets
The value of the largest loss(PML) that could result from
damage or the total destructionof PP&E
2015 Global Cyber Financial Impact Report
$848$815
$0
$100
$200
$300
$400
$500
$600
$700
$800
$900
Total value of PP&E Total value ofinformation assets
Extrapolated value ($millions)
Source: Aon/Ponemon 2015 Global Cyber Impact Study
7
Valuing Tangible and Intangible Assets Estimating Loss to Tangible and Intangible Assets
Risk. Reinsurance. Human Resources
9%
38%
16%
58%
0%
10%
20%
30%
40%
50%
60%
70%
Would not disclosea material
uninsured loss oftangible assets
Would not disclosea material
uninsured loss ofintangible assets
Fully aware of theconsequences of a
data breach
Assess cyber riskexposure based
on intuition,informal internal
assessment, or notat all
2015 Global Cyber Financial Impact Report
Source: Aon/Ponemon 2015 Global Cyber Impact Study
8
Insuring Tangible and Intangible Assets Cyber risk awareness among APAC businesses
51%
12%
0%
10%
20%
30%
40%
50%
60%
The percentage of potentialloss to PP&E assets covered
by insurance
The percentage of potentialloss to information assets
covered by insurance
Risk. Reinsurance. Human Resources9
Cyber Risk in Asia
Source: Mandiant M-Trends Asia Pacific
3.7GB
80%
520 days
Median time between breach and discovery in APAC – three times the global average.
Organisation in APAC are 80% more likely to be targeted than other parts of the world,
Average amount of data stolen in an attack in APAC.
V-Tech
Thailand Government
Vietnam Airlines
Japan Airlines
Philippines
COMELEC
Bangladesh
Bank
Risk. Reinsurance. Human Resources10
2015 (and early 2016) has seen, largely, a continuation of trends in relation to cyber-attacks.
The majority of perpetrators are still external actors, the primary motive remains financial gain and phishing and particularly spear phishing attacks remain dominant.
Spear phishing attacks targeting employees have increased by 55 percent in 2015.
Social engineering has increased in frequency and public recognition.
There has also been an increase in ransomware attacks – up 35 percent in 2015.
DD4BC (Distributed Denial of Service for Bitcoin) attacks have been common, with smaller scale attacks launched initially along with a modest demand for payment, with the threat of increased attacks if the demand is not met.
Source: Symantec’s Internet Security Threat Report 2016
Market Trends – Attack Trends
Risk. Reinsurance. Human Resources11
Business Snapshot
Business Segment Brief Description
Contract Drilling
Company offers contract drilling to customers in Canada, USA, Venezuela, Argentina, Kurdistan, Libya, Oman, Gabon, Australia & New Zealand. The company offers rigs and drilling solutions to clients which are major oil & gas producers. Service offerings include: coring drilling services in support of oil sands development, well servicing and slant drilling solutions to oil sands producers’ steam-assisted gravity drainage applications etc. Click here to know more about Ensign’s ‘Contract Drilling operations’.
Directional Drilling
Drilling service offerings include: conventional directional & horizontal drilling , remote drilling, short-radius drilling, multi-well pad drilling and automated drilling rigs. Company uses state-of the –art electromagnetic and MWD technology with gamma modules while carrying out drilling operations. Click here to know more about Ensign’s directional drilling operations.
Underbalanced Drilling
Ensign offers comprehensive range of underbalanced drilling packages which include: self-contained systems with nitrogen generation, compression equipment and surface control systems. The company makes use of the technology: ‘Envision’ which through a state-of-the-art programmable logic control program controls the drilling operations. Click hereto learn more about, Ensign’s ‘Underbalanced drilling operations
Rental Equipment (Equipment Rentals)
Ensign offers rental services of equipment like: pumps, rig mats, light plants, flare tanks, Centrifuge bins, mud motors, drill collars, heavyweight drill pipe, mud cleaning equipment, gas busters etc. The rental of equipment is predominantly based out of Canada & USA. Please click here to know more about Ensign’s rental equipment segment.
Well Servicing
Service offerings include: Well completions and re-completions, Abandonment of redundant wells, Production workovers, Bottom hole pump changes, Servicing of downhole pumps / replacement of downhole components or tubulars, Sidetracking and deepening of wells, Fishing and swabbing operations, Drilling of shallow water, oil, gas or coal bed methane wells and Completion fluid filtration and conditioning. Click here to know more about Ensign’s ‘Well Servicing’ operations.
Production Services
Ensign, through ‘Production Services’ segment offers wireline services, production testing, technical and reporting, training and certifications to customers. Opsco Energy Industries Ltd, a wholly owned subsidiary of Ensign, offers slickline and braided line completion and production testing services, pressure pumping and wireline (slickline and braided line) services to customers in Western Canada Sedimentary Basin, USA & other international locations. Kindly click here to know more about Ensign’s ‘Production Services’.
Cyber Risk Transfer
Risk. Reinsurance. Human Resources12
Cyber Risk Transfer – Attack Costs
Crisis
Expense
Lost
Income
Extra
Expense
LiabilityFines and
Penalties
Forensics
Notification and Monitoring
Public Relations
Legal guidance
Business Interruption
Dependent Interruption
Intangible Asset Damage
Cyber Extortion Payments
Breach of Privacy
Regulatory Fines
Defence Costs
Defence Costs
Increased Cost of Working
Network Security Failure
Media Liability
Risk. Reinsurance. Human Resources13
Aon Cyber Enterprise Solution™: an overview
Risk. Reinsurance. Human Resources14
Business Snapshot
Business Segment Brief Description
Contract Drilling
Company offers contract drilling to customers in Canada, USA, Venezuela, Argentina, Kurdistan, Libya, Oman, Gabon, Australia & New Zealand. The company offers rigs and drilling solutions to clients which are major oil & gas producers. Service offerings include: coring drilling services in support of oil sands development, well servicing and slant drilling solutions to oil sands producers’ steam-assisted gravity drainage applications etc. Click here to know more about Ensign’s ‘Contract Drilling operations’.
Directional Drilling
Drilling service offerings include: conventional directional & horizontal drilling , remote drilling, short-radius drilling, multi-well pad drilling and automated drilling rigs. Company uses state-of the –art electromagnetic and MWD technology with gamma modules while carrying out drilling operations. Click here to know more about Ensign’s directional drilling operations.
Underbalanced Drilling
Ensign offers comprehensive range of underbalanced drilling packages which include: self-contained systems with nitrogen generation, compression equipment and surface control systems. The company makes use of the technology: ‘Envision’ which through a state-of-the-art programmable logic control program controls the drilling operations. Click hereto learn more about, Ensign’s ‘Underbalanced drilling operations
Rental Equipment (Equipment Rentals)
Ensign offers rental services of equipment like: pumps, rig mats, light plants, flare tanks, Centrifuge bins, mud motors, drill collars, heavyweight drill pipe, mud cleaning equipment, gas busters etc. The rental of equipment is predominantly based out of Canada & USA. Please click here to know more about Ensign’s rental equipment segment.
Well Servicing
Service offerings include: Well completions and re-completions, Abandonment of redundant wells, Production workovers, Bottom hole pump changes, Servicing of downhole pumps / replacement of downhole components or tubulars, Sidetracking and deepening of wells, Fishing and swabbing operations, Drilling of shallow water, oil, gas or coal bed methane wells and Completion fluid filtration and conditioning. Click here to know more about Ensign’s ‘Well Servicing’ operations.
Production Services
Ensign, through ‘Production Services’ segment offers wireline services, production testing, technical and reporting, training and certifications to customers. Opsco Energy Industries Ltd, a wholly owned subsidiary of Ensign, offers slickline and braided line completion and production testing services, pressure pumping and wireline (slickline and braided line) services to customers in Western Canada Sedimentary Basin, USA & other international locations. Kindly click here to know more about Ensign’s ‘Production Services’.
Director & Officer
Exposure
Risk. Reinsurance. Human Resources15
Actions against Directors
May 2016 – Minnesota Federal Court dismisses consolidated action by Target shareholders arising from major data breach in 2013.
Shareholders alleged gross mismanagement and breach of fiduciary duty by directors in failing to implement controls to prevent the data breach.
A Special Litigation Committee conducted an extensive 21 month investigation and recommended that the claim be dismissed,
Home Depot
Heartland
2009 – Shareholders claimed that Heartland – which suffered a major data breach, compromising the personal data of millions of individuals - had previously concealed an attack and made fraudulent representations regarding cyber security.
Court dismissed the action, as the allegation that D&Os knew the security systems to be deficient was not particularised.
October 2014 – Derivative action against Directors dismissed. Action followed a series of data breaches in 2008 and 2009.
Plaintiffs argued that senior executives failed to take sufficient steps to protect sensitive information. Court found no “bad faith” on the part of the board.
WyndhamTarget
September 2015 – shareholder derivative lawsuit filed against 12 directors, alleging a breach of fiduciary duties of good faith and due care by failing to safeguard information.
The claim cites the Target and Neiman Marcus breaches as evidence of fair warning to the board that an attack was predictable.
Risk. Reinsurance. Human Resources16
Board Level Mitigation
Board / Senior
Executives
Risk Management
Team
IT Department
Broker / Insurer
Vendors and
Customers
Know and meet regularly with your Information Security / IT Team. Understand incidents or “near misses”.
Understand your contracts with your customers and vendors. What risks are you assuming? Who is required to maintain insurance?
Review your risks with your insurance broker and insurer continually. Insurance coverage is negotiable.
Ensure that there are up to date policies and plans in place for data protection, incident response and business continuity
Manage the dialogue between your IT and Risk teams.
Know your external experts and reporting obligations when a cyber event occurs
17Risk. Reinsurance. Human Resources
Aon Risk Solutions | 2 Shenton Way | #26-01 SGX Centre 1 | Singapore 068804Aon Singapore (Broking Centre) Pte Ltd | Co. Reg No. 199708153K
© Aon plc 2016. All rights reserved.
No part of this report may be reproduced, stored in a retrieval system, or transmitted in any way or by any means, including photocopying or recording, without the written permission of the copyright holder, application for which should be addressed to the copyright holder.