How Much Cyber Insurance Do You Need? Julien DUCLOY ......MARSH RISK CONSULTING Actual Data Breach...
Transcript of How Much Cyber Insurance Do You Need? Julien DUCLOY ......MARSH RISK CONSULTING Actual Data Breach...
How Much Cyber Insurance Do You Need?
Julien DUCLOY - SECTOR 2018
2 OCTOBER 2018
MARSH RISK CONSULTING
CONTENT AND THE PRESENTER
1
Why it’s worth an education session?
Where does this approach comes from?
What’s the presenter background?
JULIEN DUCLOY Cybersecurity & ERM Consulting Services Lead Marsh Risk Consulting Canada
01 October 2018
MARSH RISK CONSULTING 2 01 October 2018
MARSH RISK CONSULTING
Objective of the session: learn! ….It’s a tool session
3
• Define how much cyber insurance your organization needs
1. Determine plausible worst case scenarios
2. Quantify financial impacts of scenarios
3. Sort out insurable and non insurable consequences
Identify cyber insurance limit options for your organization
• Give you a simple tool (spreadsheet) to guide you through the process
01 October 2018
MARSH RISK CONSULTING 4
Objective
Credit Card Data Breach Scenario Consequences Total Impact ($M)
The network is breached by a cyber
crime attacker 800,000 credit card
numbers are stolen internal servers.
These credit card numbers are sold
on the dark net. When the breach
discovered, transactions are
interrupted for a period of 48hrs with
conservation measures to ensure
incident containment, involving
employees overtime. IT and legal
Investigation has demonstrated
significant gaps into to the cyber
security program and failure to
comply with PCI DSS requirements.
The incident is published in the press
thus negatively impacting the
organization’s reputation. Victims,
including card owners, Payment Card
Companies, etc. engage a successful
class action. The OPC requires
security improvements. Some
compensatory measures are taken to
lower the loss of future revenues due
to the reputational damage
• Incident Response and IT Investigation: $300K
• Remediation: $200K
• Breach Coach: $50K
• Business interruption 48Hrs: $2.2M
• Conservation measures: $200K
• Employees overtime: $50K
• Notification costs: $250K
• Legal defense costs : $1.5M
• Identity theft protection, credit monitoring: $600K
• Third party call center: $200K
• Settlement with credit card companies and FIs $6.5M
• Class action settlement for victims: $1.25M
• Regulatory penalties and fines: $479K
• Public relations: $200K
• Loss of future revenue: $8M
• Mandatory security improvements (OPC): $800K
• Compensatory measures and media campaign: $1M
Gross Loss:
$23.78M
Insurable Loss:
$13.45M
Non Insurable
Loss: $10.33M
01 October 2018
MARSH RISK CONSULTING
AGENDA
• Cyber Losses
• Risk Quantification Process
• Consequences’ Assessment
• Cyber Insurance
• Examples
5 01 October 2018
MARSH RISK CONSULTING 6
http://funpicc.blogspot.ca/2011/04/your-password-is-incorrect-will-ferrell.html
01 October 2018
7 01 October 2018
Cyber Losses: What Are We Dealing With?
MARSH RISK CONSULTING
Types of Cyber Risk Scenarios
8
• Accidental disruption
• Hacktivism
• Nuisance
• Privacy breach (PII, PHI, PCI)
• Extortion Attack
• Espionage
• Theft of financial assets
• Infrastructure damage
01 October 2018
MARSH RISK CONSULTING
Actual Data Breach Losses
9
Case Year Type of Data Breached Cost
Facebook (US) 2018 Personal Records Unknown so far: $1B + ?
Yahoo (US) 2017 Accounts Information $400M +
Equifax (US) 2017 Personal Records & Financial
Data $450M +
Uber (US) 2016 Personal Records $200M +
Anthem (US) 2015 Personal Records $100M +
Condon (CA) 2014 Personal Records - Student
Loan Applicants $18M +
Target (CA) 2013 Credit Card Numbers &
Personal Records $250M +
Publicly available information
01 October 2018
MARSH RISK CONSULTING
Observed Losses In Cyber Risk
10
• Can cost up to $1B for a single organization
• If we refine:
– A small data breach: several $10K
– A big extortion attack: from $100K to several $10M
– A massive data breach: several $100M
– A ransomware outbreak: several $10B for multiple organizations
01 October 2018
MARSH RISK CONSULTING 11 01 October 2018
12 01 October 2018
Risk Quantification Process: Do It Yourself
MARSH RISK CONSULTING
Structured Approach
13 01 October 2018
Identify
Potential Risk
Scenarios
Quantify
Worst Case
Scenarios
Analyze
Insurability
MARSH RISK CONSULTING
Structured Approach
14 01 October 2018
Identify
Potential Risk
Scenarios
• Develop understanding of IT, business
model and operations, and the role of
IT in the operations
• Research cyber risks in the industry
• Interview key stakeholders
• Define potential scenarios
• Select top risks
MARSH RISK CONSULTING
Exploit All Available Resources
Internal data External benchmarks Subject matter experts
Cyber risk inventory
15 01 October 2018
MARSH RISK CONSULTING
What Is At Risk? What Are The Impact Types?
16 01 October 2018
IT & Ops
Integrity
Confidentiality Availability
Information systems
Individual’s data: identity, health, credit
Intellectual property, Economic information, Classified information
Revenue dependent on IT Systems
Critical infrastructure
Reputation
MARSH RISK CONSULTING
How Can It Happen?
17 01 October 2018
Malicious acts External Accident
System Disruption
IT & Ops
Integrity
Confidentiality Availability
Information systems
• Accidental disruption
• Hacktivism
• Nuisance
• Privacy breach
• Extortion Attack
• Theft of financial assets
• Espionage
• Infrastructure damage
MARSH RISK CONSULTING
Who Is Motivated to Get to Your Organization?
Source: Mandiant M-Trends
18
Nuisance Hacktivism Cyber Crime Data Theft Disruption
Annoyance &
Ransom
Defamation,
Press & Policy
Financial
Gain
Economic,
Military, Political
Escalation,
Destruction
Botnets, DDoS,
Automated
Virus and
Ransomware
Website
Defacements
Operations
Disruption
Marketable
Data Theft,
Extortion, Theft
of Funds
Advanced
Persistent
Threat
Intelligence
Operations
Disruption
Infrastructure
Destruction
01 October 2018
MARSH RISK CONSULTING
Summarize And Select
01 October 2018
Accidental
Disruption Hacktivism
Advanced
Persistent
Threat
Targeted
Disruption /
Destruction
Cyber
Crime
Disgruntled
Employee …
Business
Operation 1
Business
Operation 2
Network 1
Data Center 2
…
Ransomware, application instability, time bombs, website defacing, internal fraud,
denial of service, infrastructure destruction, theft of confidential data, misappropriation of assets, prolonged system outage, sabotage, loss of
access…
19
MARSH RISK CONSULTING
Result: List of scenarios to quantify
20
Risk Scenario
Critical infrastructure damage
Credit card data breach
Privacy breach of customer PII data
Third party data center fire
Hacktivism / website defacement
Targeted malware attack on infrastructure
Corporate office data center fire
Data corruption due to inadequate patch
DOS attack on third party data center
Financial Impact ($M)
01 October 2018
MARSH RISK CONSULTING
Structured Approach
21 01 October 2018
Quantify
Worst Case
Scenarios
• Conduct working groups to develop risk scenarios
• Quantify financial impacts
• Validate final scenarios
MARSH RISK CONSULTING
Cyber Risk Quantification
• Identify and involve stakeholders
• Prepare scenarios outline and be flexible
• Scenario circumstances:
– Follow Murphy’s law
– Make controls fail
– Infrastructure scenarios: physical protections and air gaps are the limit
– Independent systems and networks in the same scenario?
– Loss of backups?
• We’re covered”
– “We have next gen firewall and endpoint sec” (was that you saying that?)
– “If they do this we’ll know it for sure…”
22 02 October 2018
MARSH RISK CONSULTING
Find Out About Business Impacts
• Define all necessary assumptions
• Find out impact on operations
• Simplify
Impact has to be severe but plausible
23 02 October 2018
MARSH RISK CONSULTING
Result: Quantified Scenarios
24
Risk Scenario
Financial
Impact
($M)
Critical infrastructure damage 159
Credit card data breach 23.8
Privacy breach of customer PII data 4.00
Third party data center fire 3.50
Hacktivism / website defacement 1.50
Targeted malware attack on infrastructure 0.75
Corporate office data center fire 0.50
Data corruption due to inadequate patch 0.20
DOS attack on third party data center 0.20
01 October 2018
MARSH RISK CONSULTING
Structured Approach
25 01 October 2018
Analyze
Insurability
• Review insurability
with the tool or your
insurance manager
• Identify potential
insurance
improvements
• Improve
cybersecurity
MARSH RISK CONSULTING
Result: Insurability Analysis
26
Risk Scenario
Financial
Impact
($M)
Insurable
($M)
Non
Insurable
($M)
Comments on
Insurability
Critical infrastructure damage 159 50 109 Exceed limit
Credit card data breach 23.8 13.3 10.5 Impacts not covered
Privacy breach of customer PII data 4.00 3.90 0.10 Covered 100%
Third party data center fire 3.50 0 3.50 Contingent not covered
Hacktivism / website defacement 1.50 1.40 0.10 Covered 100%
Targeted malware attack on infrastructure 0.75 0 0.75 Not covered - Exclusion
Corporate office data center fire 0.50 0.40 0.10 Covered 100%
Data corruption due to inadequate patch 0.20 0.10 0.10 Covered, 50% deductible
DOS attack on third party data center 0.20 0 0.20 Contingent not covered
01 October 2018
MARSH RISK CONSULTING
Can’t Deny the Numbers!
27 01 October 2018
28 01 October 2018
Consequences’ Assessment: Where Things Get Complicated
MARSH RISK CONSULTING
Consequences: Checklist
• Incident Response and IT Investigation
• IT Remediation
• Data restoration
• Breach Coach / Privacy Lawyer
• Ransom Payment
• Business interruption
• Physical Damage (cleaning +
construction/repair)
• Conservation measures expenses
• Theft of funds / Financial Assets
• Extra-expenses
• Employees overtime
• Notification
29 01 October 2018
• Legal defense
• Identity theft protection, credit monitoring
• Third party call center
• Settlement with credit card companies and FIs
• Class action settlement for victims
• Collateral Damage on third party / single action
• Regulatory penalties and fines
• Public Relations expenses
• Loss of future revenue
• Loss of IP - IP infringement with loss of revenue
• Loss of brand value / Loss of goodwill
• Mandatory security improvements (OPC)
• Compensatory measures and media campaign
MARSH RISK CONSULTING
Incident Response and IT Investigation
30 01 October 2018
Cost Enablers Identification of breach within devices / systems / networks
Cost Drivers • number of servers / devices
• complexity of IT infrastructure
• diversity of system types breached
• availability / extent of logs
• length of time in network
• existence of retainer
• breach status and IR duration (live vs. past)
Cost Type Per Event
MARSH RISK CONSULTING
Breach Coach
31 01 October 2018
Cost Enablers Organizational or insurance decision after identification of
systems breach
Cost Drivers • Size and complexity of breach
• # of jurisdictions
Cost Type Per Event
MARSH RISK CONSULTING
Cost Elements Remediation
32 01 October 2018
Cost Enablers Data / systems corruption
Cost Drivers • number of servers and database size(s)
• complexity of IT infrastructure
• if cause of breach is known / potential threat persistence
• capability to execute DR internally
• existence of DR plan / backup type
• need / appetite for hardware replacement
Cost Type Per Event
MARSH RISK CONSULTING
Public Relations – Crisis Communication
33 01 October 2018
Cost Enablers Media exposure
Cost Drivers • Extent of media exposure
• Perception of fault from the breached organization
• Intent of cyber attack
Cost Type Per event
MARSH RISK CONSULTING
Call Center
34 01 October 2018
Cost Enablers • Identification of a privacy breach (PII, PCI, PHI)
• Size of breach
Cost Drivers • media exposure
• capacity to provide call center services internally
• call in rate
• Type and extent of data breached (potential for harm)
Cost Type Per record
MARSH RISK CONSULTING
Notification
35 01 October 2018
Cost Enablers Identification of a privacy breach (PII, PHI, PCI)
Cost Drivers • Type of notification (indirect, mail, email)
• Media exposure
• Type of data breached (US PHI first class mail)
• Pre-agreement with customer to use email
• Location of individuals
• # of jurisdictions
Cost Type Per record
MARSH RISK CONSULTING
ID Protection and Credit Monitoring
36 01 October 2018
Cost Enablers • Identification of a privacy breach (PII, PCI)
• Type of information breached (financial / identity)
Cost Drivers • Breach location
• Length of protection
• Expected uptake of protection
• Bulk vs. subscription purchasing
Cost Type Per record
MARSH RISK CONSULTING
Fines / Penalties
37 01 October 2018
Cost Enablers Breach of confidential data (PHI, PII, PCI)
Cost Drivers • Non-compliance with the breach reporting regime
• Attempt to cover up the breach (potentially causing more
harm to victims)
• Combination of: negligence in network / information security,
inappropriate data privacy management, non-compliance with
security standards or governing regulations
Cost Type Per Event
MARSH RISK CONSULTING
Legal Defense
38 01 October 2018
Cost Enablers Suit brought by those affected
Cost Drivers • # of different breach jurisdictions
• # of people affected / suit uptake
• proof of harm
• presence of gross negligence / early settlement
• legal retainer
Cost Type Per Event
MARSH RISK CONSULTING
Class Action Settlement – for Victims of Breach
39 01 October 2018
Cost Enablers Settlement or Judgement for PII / PHI
Cost Drivers • # of different breach jurisdictions
• # of people affected / suit uptake
• type / content of data breached
• presence of gross negligence
• proof of harm (case by case)
• Lack of ID protection and credit monitoring provided
Cost Type Per record
MARSH RISK CONSULTING
Class Action Settlement – for FI’s / Card Companies
40 01 October 2018
Cost Enablers PCI breach of cards
Cost Drivers • # of people effected
• proof of harm (case by case)
• lack of ID protection and credit monitoring provided
• PCI-DSS non compliance
Cost Type Per record
MARSH RISK CONSULTING 41 01 October 2018
Insurance
42 01 October 2018
Cyber Insurance: 101
MARSH RISK CONSULTING
Not typically covered May be covered in some cases
Typically covered
Note: All insurance coverage is subject to the terms, conditions, and exclusions in the applicable individual policies. Marsh cannot provide assurance that insurance can be obtained for any particular client or risk.
Cyber Insurance: 101 Cyber VS Traditional Insurance
Cyber Threat Traditional Insurance Policies Potential Cyber
Insurance Solutions Property General Liability Crime Policy D&O
Corporate IP
Confidentiality of Corporate IP Specialty IP Infringement
Policies
Integrity & Availability of Corporate IP Data Restoration Coverage
Third-Party Data
Confidentiality, Integrity, and Availability
of Third-Party Data
Comprehensive
Cyber Policy
Technology Infrastructure
Availability of Operational Technology,
Core and General Information Systems
Network Business
Interruption / Extra
Expense Coverage
Availability of Outsourced Information
Systems
Dependent Business
Interruption
Coverage
Relationship Capital
Integrity (Value) of Relationship Capital
(B2B & B2C)
Specialty
Reputational Risk Policies
Financial Assets
Availability (Theft) of Financial Assets Cyber Crime Policies
and Endorsements
Cyber-exposed Physical Assets
Integrity (Physical Damage) of Cyber-
exposed Physical Assets
Specialty Cyber Property
Damage Policies
43 01 October 2018
MARSH RISK CONSULTING
Cyber Insurance: 101 What is covered?
44 01 October 2018
MARSH RISK CONSULTING
Common Cyber Insurance Limitations and Exclusions
• Classic Insurance Exclusions:
– Fraudulent behavior of the C-Suite
– War & Terrorism
– …
• Impacts covered by other insurance policies:
– Theft of funds
– Property Damage
– …
45 01 October 2018
- BUT - some of these exclusions can be now purchased as
an additional coverage option
MARSH RISK CONSULTING
Non Financial Benefits of Cyber Insurance
• Provides immediate assistance, contain the incident and limit the impact
• Encourages management to discuss cyber risk, reward and cost
• Support IR and recovery plans, and overall investment in cybersecurity
46 01 October 2018
47 01 October 2018
Examples: Let’s Use The Tool!
MARSH RISK CONSULTING 48 01 October 2018
MARSH RISK CONSULTING
Contact Information
49 01 October 2018
Julien Ducloy Cybersecurity & ERM Consulting Services Lead Marsh Risk Consulting Canada [email protected] https://www.linkedin.com/in/julienducloyriskmanagement/ +1 647 229 4703
MARSH
Cyber Risk Consulting Services – Marsh Canada Limited
Cyber Security
Assessment
Cyber Risk
Management
Cyber Security
Development
Incident
Response
• Compromise
Assessment (CF)
• Cyber Snapshot (CF)
• Network Penetration
Tests (CF)
• Security Program
Assessment (NIST, ISO,
CIS, etc.) (MAR) (CF-M)
• Vendor Cyber Risk
Assessment (MAR) (CF-M)
• Cyber Risk
Identification (MAR) (CF-M)
• Cyber Risk
Quantification (MAR)
• Cyber Risk
Insurability Analysis (MAR)
• Total Cost of Risk
Optimization (MAR)
• Third Parties
Contractual Risk
Transfer (MAR) (CF-M)
• Information Security
Framework Development (MAR)
• MSSP Selection (CF) (CF-M)
• PCI-DSS Certification (CF)
(CF-M)
• Cyber Regulation
Compliance Audit (GDPR,
FedRamp, NYS, etc.) (MAR) (CF-M)
• Incident Response
Preparation (MAR) (CF-M)
• Disaster Recovery &
Business Continuity
Planning (MAR) (CF-M)
• Claim Preparation (MAR)
MAR : Marsh Only Services
CF : Collaborative Firm Only Services
CF-M : Marsh & Collaborative Firm Joint Services
MARSH RISK CONSULTING
DISCLAIMER
51
The “insurability” information that is provided in this presentation is based on commonly observed insurance market offering. This
offering and associated conditions vary depending on carriers and specific contracts. Any type of consequence deemed as
insurable takes the assumption that the corresponding claim is covered by a contract which covers this particular consequence
Your organisation’s ability to obtain any type of cyber insurance contract and particular conditions is not assumed at anytime by
Marsh.
01 October 2018
This document and any recommendations, analysis, or advice provided by Marsh (collectively, the “Marsh Analysis”) are intended
solely for the entity identified as the recipient herein (“you”). This document contains proprietary, confidential information of Marsh
and may not be shared with any third party, including other insurance producers, without Marsh’s prior written consent. Any
statements concerning actuarial, tax, accounting, or legal matters are based solely on our experience as insurance brokers and
risk consultants and are not to be relied upon as actuarial, accounting, tax, or legal advice, for which you should consult your own
professional advisors. Any modeling, analytics, or projections are subject to inherent uncertainty, and the Marsh Analysis could be
materially affected if any underlying assumptions, conditions, information, or factors are inaccurate or incomplete or should
change. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as
to its accuracy. Marsh shall have no obligation to update the Marsh Analysis and shall have no liability to you or any other party
with regard to the Marsh Analysis or to any services provided by a third party to you or Marsh. Marsh makes no representation or
warranty concerning the application of policy wordings or the financial condition or solvency of insurers or reinsurers. Marsh
makes no assurances regarding the availability, cost, or terms of insurance coverage. All decisions regarding the amount, type or
terms of coverage shall be your ultimate responsibility. While Marsh may provide advice and recommendations, you must decide
on the specific coverage that is appropriate for your particular circumstances and financial position. By accepting this document,
you acknowledge and agree to the terms, conditions, and disclaimers set forth above.
Marsh is one of the Marsh & McLennan Companies, together with Guy Carpenter, Mercer, and Oliver Wyman.
Copyright © 2018 Marsh Canada Limited and its licensors. All rights reserved. www.marsh.ca | www.marsh.com