How Much Cyber Insurance Do You Need? Julien DUCLOY ......MARSH RISK CONSULTING Actual Data Breach...

How Much Cyber Insurance Do You Need?

Julien DUCLOY - SECTOR 2018

2 OCTOBER 2018

MARSH RISK CONSULTING

CONTENT AND THE PRESENTER

1

Why it’s worth an education session?

Where does this approach comes from?

What’s the presenter background?

JULIEN DUCLOY Cybersecurity & ERM Consulting Services Lead Marsh Risk Consulting Canada

01 October 2018

MARSH RISK CONSULTING 2 01 October 2018


Objective of the session: learn! ….It’s a tool session

3

• Define how much cyber insurance your organization needs

1. Determine plausible worst case scenarios

2. Quantify financial impacts of scenarios

3. Sort out insurable and non insurable consequences

Identify cyber insurance limit options for your organization

• Give you a simple tool (spreadsheet) to guide you through the process

01 October 2018

MARSH RISK CONSULTING 4

Objective

Credit Card Data Breach Scenario Consequences Total Impact ($M)

The network is breached by a cyber

crime attacker 800,000 credit card

numbers are stolen internal servers.

These credit card numbers are sold

on the dark net. When the breach

discovered, transactions are

interrupted for a period of 48hrs with

conservation measures to ensure

incident containment, involving

employees overtime. IT and legal

Investigation has demonstrated

significant gaps into to the cyber

security program and failure to

comply with PCI DSS requirements.

The incident is published in the press

thus negatively impacting the

organization’s reputation. Victims,

including card owners, Payment Card

Companies, etc. engage a successful

class action. The OPC requires

security improvements. Some

compensatory measures are taken to

lower the loss of future revenues due

to the reputational damage

• Incident Response and IT Investigation: $300K

• Remediation: $200K

• Breach Coach: $50K

• Business interruption 48Hrs: $2.2M

• Conservation measures: $200K

• Employees overtime: $50K

• Notification costs: $250K

• Legal defense costs : $1.5M

• Identity theft protection, credit monitoring: $600K

• Third party call center: $200K

• Settlement with credit card companies and FIs $6.5M

• Class action settlement for victims: $1.25M

• Regulatory penalties and fines: $479K

• Public relations: $200K

• Loss of future revenue: $8M

• Mandatory security improvements (OPC): $800K

• Compensatory measures and media campaign: $1M

Gross Loss:

$23.78M

Insurable Loss:

$13.45M

Non Insurable

Loss: $10.33M

01 October 2018


AGENDA

• Cyber Losses

• Risk Quantification Process

• Consequences’ Assessment

• Cyber Insurance

• Examples

5 01 October 2018

MARSH RISK CONSULTING 6

http://funpicc.blogspot.ca/2011/04/your-password-is-incorrect-will-ferrell.html

01 October 2018

7 01 October 2018

Cyber Losses: What Are We Dealing With?


Types of Cyber Risk Scenarios

8

• Accidental disruption

• Hacktivism

• Nuisance

• Privacy breach (PII, PHI, PCI)

• Extortion Attack

• Espionage

• Theft of financial assets

• Infrastructure damage

01 October 2018


Actual Data Breach Losses

9

Case Year Type of Data Breached Cost

Facebook (US) 2018 Personal Records Unknown so far: $1B + ?

Yahoo (US) 2017 Accounts Information $400M +

Equifax (US) 2017 Personal Records & Financial

Data $450M +

Uber (US) 2016 Personal Records $200M +

Anthem (US) 2015 Personal Records $100M +

Condon (CA) 2014 Personal Records - Student

Loan Applicants $18M +

Target (CA) 2013 Credit Card Numbers &

Personal Records $250M +

Publicly available information

01 October 2018


Observed Losses In Cyber Risk

10

• Can cost up to $1B for a single organization

• If we refine:

– A small data breach: several $10K

– A big extortion attack: from $100K to several $10M

– A massive data breach: several $100M

– A ransomware outbreak: several $10B for multiple organizations

01 October 2018

12 01 October 2018

Risk Quantification Process: Do It Yourself


Structured Approach

13 01 October 2018

Identify

Potential Risk

Scenarios

Quantify

Worst Case

Scenarios

Analyze

Insurability


Structured Approach

14 01 October 2018

Identify

Potential Risk

Scenarios

• Develop understanding of IT, business

model and operations, and the role of

IT in the operations

• Research cyber risks in the industry

• Interview key stakeholders

• Define potential scenarios

• Select top risks


Exploit All Available Resources

Internal data External benchmarks Subject matter experts

Cyber risk inventory

15 01 October 2018


What Is At Risk? What Are The Impact Types?

16 01 October 2018

IT & Ops

Integrity

Confidentiality Availability

Information systems

Individual’s data: identity, health, credit

Intellectual property, Economic information, Classified information

Revenue dependent on IT Systems

Critical infrastructure

Reputation


How Can It Happen?

17 01 October 2018

Malicious acts External Accident

System Disruption

IT & Ops

Integrity

Confidentiality Availability

Information systems

• Accidental disruption

• Hacktivism

• Nuisance

• Privacy breach

• Extortion Attack

• Theft of financial assets

• Espionage

• Infrastructure damage


Who Is Motivated to Get to Your Organization?

Source: Mandiant M-Trends

18

Nuisance Hacktivism Cyber Crime Data Theft Disruption

Annoyance &

Ransom

Defamation,

Press & Policy

Financial

Gain

Economic,

Military, Political

Escalation,

Destruction

Botnets, DDoS,

Automated

Virus and

Ransomware

Website

Defacements

Operations

Disruption

Marketable

Data Theft,

Extortion, Theft

of Funds

Advanced

Persistent

Threat

Intelligence

Operations

Disruption

Infrastructure

Destruction

01 October 2018


Summarize And Select

01 October 2018

Accidental

Disruption Hacktivism

Advanced

Persistent

Threat

Targeted

Disruption /

Destruction

Cyber

Crime

Disgruntled

Employee …

Business

Operation 1

Business

Operation 2

Network 1

Data Center 2

…

Ransomware, application instability, time bombs, website defacing, internal fraud,

denial of service, infrastructure destruction, theft of confidential data, misappropriation of assets, prolonged system outage, sabotage, loss of

access…

19


Result: List of scenarios to quantify

20

Risk Scenario

Critical infrastructure damage

Credit card data breach

Privacy breach of customer PII data

Third party data center fire

Hacktivism / website defacement

Targeted malware attack on infrastructure

Corporate office data center fire

Data corruption due to inadequate patch

DOS attack on third party data center

Financial Impact ($M)

01 October 2018


Structured Approach

21 01 October 2018

Quantify

Worst Case

Scenarios

• Conduct working groups to develop risk scenarios

• Quantify financial impacts

• Validate final scenarios


Cyber Risk Quantification

• Identify and involve stakeholders

• Prepare scenarios outline and be flexible

• Scenario circumstances:

– Follow Murphy’s law

– Make controls fail

– Infrastructure scenarios: physical protections and air gaps are the limit

– Independent systems and networks in the same scenario?

– Loss of backups?

• We’re covered”

– “We have next gen firewall and endpoint sec” (was that you saying that?)

– “If they do this we’ll know it for sure…”

22 02 October 2018


Find Out About Business Impacts

• Define all necessary assumptions

• Find out impact on operations

• Simplify

Impact has to be severe but plausible

23 02 October 2018


Result: Quantified Scenarios

24

Risk Scenario

Financial

Impact

($M)

Critical infrastructure damage 159

Credit card data breach 23.8

Privacy breach of customer PII data 4.00

Third party data center fire 3.50

Hacktivism / website defacement 1.50

Targeted malware attack on infrastructure 0.75

Corporate office data center fire 0.50

Data corruption due to inadequate patch 0.20

DOS attack on third party data center 0.20

01 October 2018


Structured Approach

25 01 October 2018

Analyze

Insurability

• Review insurability

with the tool or your

insurance manager

• Identify potential

insurance

improvements

• Improve

cybersecurity


Result: Insurability Analysis

26

Risk Scenario

Financial

Impact

($M)

Insurable

($M)

Non

Insurable

($M)

Comments on

Insurability

Critical infrastructure damage 159 50 109 Exceed limit

Credit card data breach 23.8 13.3 10.5 Impacts not covered

Privacy breach of customer PII data 4.00 3.90 0.10 Covered 100%

Third party data center fire 3.50 0 3.50 Contingent not covered

Hacktivism / website defacement 1.50 1.40 0.10 Covered 100%

Targeted malware attack on infrastructure 0.75 0 0.75 Not covered - Exclusion

Corporate office data center fire 0.50 0.40 0.10 Covered 100%

Data corruption due to inadequate patch 0.20 0.10 0.10 Covered, 50% deductible

DOS attack on third party data center 0.20 0 0.20 Contingent not covered

01 October 2018


Can’t Deny the Numbers!

27 01 October 2018

28 01 October 2018

Consequences’ Assessment: Where Things Get Complicated


Consequences: Checklist

• Incident Response and IT Investigation

• IT Remediation

• Data restoration

• Breach Coach / Privacy Lawyer

• Ransom Payment

• Business interruption

• Physical Damage (cleaning +

construction/repair)

• Conservation measures expenses

• Theft of funds / Financial Assets

• Extra-expenses

• Employees overtime

• Notification

29 01 October 2018

• Legal defense

• Identity theft protection, credit monitoring

• Third party call center

• Settlement with credit card companies and FIs

• Class action settlement for victims

• Collateral Damage on third party / single action

• Regulatory penalties and fines

• Public Relations expenses

• Loss of future revenue

• Loss of IP - IP infringement with loss of revenue

• Loss of brand value / Loss of goodwill

• Mandatory security improvements (OPC)

• Compensatory measures and media campaign


Incident Response and IT Investigation

30 01 October 2018

Cost Enablers Identification of breach within devices / systems / networks

Cost Drivers • number of servers / devices

• complexity of IT infrastructure

• diversity of system types breached

• availability / extent of logs

• length of time in network

• existence of retainer

• breach status and IR duration (live vs. past)

Cost Type Per Event


Breach Coach

31 01 October 2018

Cost Enablers Organizational or insurance decision after identification of

systems breach

Cost Drivers • Size and complexity of breach

• # of jurisdictions

Cost Type Per Event


Cost Elements Remediation

32 01 October 2018

Cost Enablers Data / systems corruption

Cost Drivers • number of servers and database size(s)

• complexity of IT infrastructure

• if cause of breach is known / potential threat persistence

• capability to execute DR internally

• existence of DR plan / backup type

• need / appetite for hardware replacement

Cost Type Per Event


Public Relations – Crisis Communication

33 01 October 2018

Cost Enablers Media exposure

Cost Drivers • Extent of media exposure

• Perception of fault from the breached organization

• Intent of cyber attack

Cost Type Per event


Call Center

34 01 October 2018

Cost Enablers • Identification of a privacy breach (PII, PCI, PHI)

• Size of breach

Cost Drivers • media exposure

• capacity to provide call center services internally

• call in rate

• Type and extent of data breached (potential for harm)

Cost Type Per record


Notification

35 01 October 2018

Cost Enablers Identification of a privacy breach (PII, PHI, PCI)

Cost Drivers • Type of notification (indirect, mail, email)

• Media exposure

• Type of data breached (US PHI first class mail)

• Pre-agreement with customer to use email

• Location of individuals

• # of jurisdictions



ID Protection and Credit Monitoring

36 01 October 2018

Cost Enablers • Identification of a privacy breach (PII, PCI)

• Type of information breached (financial / identity)

Cost Drivers • Breach location

• Length of protection

• Expected uptake of protection

• Bulk vs. subscription purchasing



Fines / Penalties

37 01 October 2018

Cost Enablers Breach of confidential data (PHI, PII, PCI)

Cost Drivers • Non-compliance with the breach reporting regime

• Attempt to cover up the breach (potentially causing more

harm to victims)

• Combination of: negligence in network / information security,

inappropriate data privacy management, non-compliance with

security standards or governing regulations

Cost Type Per Event


Legal Defense

38 01 October 2018

Cost Enablers Suit brought by those affected

Cost Drivers • # of different breach jurisdictions

• # of people affected / suit uptake

• proof of harm

• presence of gross negligence / early settlement

• legal retainer

Cost Type Per Event


Class Action Settlement – for Victims of Breach

39 01 October 2018

Cost Enablers Settlement or Judgement for PII / PHI

Cost Drivers • # of different breach jurisdictions

• # of people affected / suit uptake

• type / content of data breached

• presence of gross negligence

• proof of harm (case by case)

• Lack of ID protection and credit monitoring provided



Class Action Settlement – for FI’s / Card Companies

40 01 October 2018

Cost Enablers PCI breach of cards

Cost Drivers • # of people effected

• proof of harm (case by case)

• lack of ID protection and credit monitoring provided

• PCI-DSS non compliance



Insurance

42 01 October 2018

Cyber Insurance: 101


Not typically covered May be covered in some cases

Typically covered

Note: All insurance coverage is subject to the terms, conditions, and exclusions in the applicable individual policies. Marsh cannot provide assurance that insurance can be obtained for any particular client or risk.

Cyber Insurance: 101 Cyber VS Traditional Insurance

Cyber Threat Traditional Insurance Policies Potential Cyber

Insurance Solutions Property General Liability Crime Policy D&O

Corporate IP

Confidentiality of Corporate IP Specialty IP Infringement

Policies

Integrity & Availability of Corporate IP Data Restoration Coverage

Third-Party Data

Confidentiality, Integrity, and Availability

of Third-Party Data

Comprehensive

Cyber Policy

Technology Infrastructure

Availability of Operational Technology,

Core and General Information Systems

Network Business

Interruption / Extra

Expense Coverage

Availability of Outsourced Information

Systems

Dependent Business

Interruption

Coverage

Relationship Capital

Integrity (Value) of Relationship Capital

(B2B & B2C)

Specialty

Reputational Risk Policies

Financial Assets

Availability (Theft) of Financial Assets Cyber Crime Policies

and Endorsements

Cyber-exposed Physical Assets

Integrity (Physical Damage) of Cyber-

exposed Physical Assets

Specialty Cyber Property

Damage Policies

43 01 October 2018


Cyber Insurance: 101 What is covered?

44 01 October 2018


Common Cyber Insurance Limitations and Exclusions

• Classic Insurance Exclusions:

– Fraudulent behavior of the C-Suite

– War & Terrorism

– …

• Impacts covered by other insurance policies:

– Theft of funds

– Property Damage

– …

45 01 October 2018

- BUT - some of these exclusions can be now purchased as

an additional coverage option


Non Financial Benefits of Cyber Insurance

• Provides immediate assistance, contain the incident and limit the impact

• Encourages management to discuss cyber risk, reward and cost

• Support IR and recovery plans, and overall investment in cybersecurity

46 01 October 2018

47 01 October 2018

Examples: Let’s Use The Tool!


Contact Information

49 01 October 2018

Julien Ducloy Cybersecurity & ERM Consulting Services Lead Marsh Risk Consulting Canada [email protected] https://www.linkedin.com/in/julienducloyriskmanagement/ +1 647 229 4703

mailto:[email protected]

https://www.linkedin.com/in/julienducloyriskmanagement/

https://www.linkedin.com/in/julienducloyriskmanagement/

MARSH

Cyber Risk Consulting Services – Marsh Canada Limited

Cyber Security

Assessment

Cyber Risk

Management

Cyber Security

Development

Incident

Response

• Compromise

Assessment (CF)

• Cyber Snapshot (CF)

• Network Penetration

Tests (CF)

• Security Program

Assessment (NIST, ISO,

CIS, etc.) (MAR) (CF-M)

• Vendor Cyber Risk

Assessment (MAR) (CF-M)

• Cyber Risk

Identification (MAR) (CF-M)

• Cyber Risk

Quantification (MAR)

• Cyber Risk

Insurability Analysis (MAR)

• Total Cost of Risk

Optimization (MAR)

• Third Parties

Contractual Risk

Transfer (MAR) (CF-M)

• Information Security

Framework Development (MAR)

• MSSP Selection (CF) (CF-M)

• PCI-DSS Certification (CF)

(CF-M)

• Cyber Regulation

Compliance Audit (GDPR,

FedRamp, NYS, etc.) (MAR) (CF-M)

• Incident Response

Preparation (MAR) (CF-M)

• Disaster Recovery &

Business Continuity

Planning (MAR) (CF-M)

• Claim Preparation (MAR)

MAR : Marsh Only Services

CF : Collaborative Firm Only Services

CF-M : Marsh & Collaborative Firm Joint Services


DISCLAIMER

51

The “insurability” information that is provided in this presentation is based on commonly observed insurance market offering. This

offering and associated conditions vary depending on carriers and specific contracts. Any type of consequence deemed as

insurable takes the assumption that the corresponding claim is covered by a contract which covers this particular consequence

Your organisation’s ability to obtain any type of cyber insurance contract and particular conditions is not assumed at anytime by

Marsh.

01 October 2018

This document and any recommendations, analysis, or advice provided by Marsh (collectively, the “Marsh Analysis”) are intended

solely for the entity identified as the recipient herein (“you”). This document contains proprietary, confidential information of Marsh

and may not be shared with any third party, including other insurance producers, without Marsh’s prior written consent. Any

statements concerning actuarial, tax, accounting, or legal matters are based solely on our experience as insurance brokers and

risk consultants and are not to be relied upon as actuarial, accounting, tax, or legal advice, for which you should consult your own

professional advisors. Any modeling, analytics, or projections are subject to inherent uncertainty, and the Marsh Analysis could be

materially affected if any underlying assumptions, conditions, information, or factors are inaccurate or incomplete or should

change. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as

to its accuracy. Marsh shall have no obligation to update the Marsh Analysis and shall have no liability to you or any other party

with regard to the Marsh Analysis or to any services provided by a third party to you or Marsh. Marsh makes no representation or

warranty concerning the application of policy wordings or the financial condition or solvency of insurers or reinsurers. Marsh

makes no assurances regarding the availability, cost, or terms of insurance coverage. All decisions regarding the amount, type or

terms of coverage shall be your ultimate responsibility. While Marsh may provide advice and recommendations, you must decide

on the specific coverage that is appropriate for your particular circumstances and financial position. By accepting this document,

you acknowledge and agree to the terms, conditions, and disclaimers set forth above.

Marsh is one of the Marsh & McLennan Companies, together with Guy Carpenter, Mercer, and Oliver Wyman.

Copyright © 2018 Marsh Canada Limited and its licensors. All rights reserved. www.marsh.ca | www.marsh.com

How Much Cyber Insurance Do You Need? Julien DUCLOY ......MARSH RISK CONSULTING Actual Data Breach...

Documents

Transcript of How Much Cyber Insurance Do You Need? Julien DUCLOY ......MARSH RISK CONSULTING Actual Data Breach...