A reinsurer’s perspective on cyber threats, cyber reinsurer’s perspective on cyber threats,...
-
Upload
truongkhue -
Category
Documents
-
view
219 -
download
1
Transcript of A reinsurer’s perspective on cyber threats, cyber reinsurer’s perspective on cyber threats,...
A reinsurer’s perspective on cyber threats, cyber resilience, insurance and data taxonomy
Mark Coss
Quelle: Verw endung unt er der Lizenz von Shut t ers t ock.com
Agenda
1. Cyber Security Taxonomy: From threats to an insured loss
2. Cyber Attack Life Cycle – how does a targeted attack look like?
3. Information Security & Systems Control Risk Management framework
4. Cyber Insurance- available risk transfer and residual business risk
5. Data Taxonomy-what data needs to be fed into a industry database and recorded
13-Oct-16A reinsurer’s perspective on cyber-Mark Coss
From threats to an insured loss
1
Cyber Security Taxonomy From Threats to an insured Loss
Workstations
OS, Applications, Browsers
Servers
Network devices
Telephone
Cloud provider
Persons
Processes
Information
…
Assets
Assets
Source: http://cambridgeriskframework.com/getdocument/3913-Oct-16
A reinsurer’s perspective on cyber-Mark Coss
Cyber Security Taxonomy From Threats to an insured Loss
Buffer overflows
SQL injection
Cross-Site-Scripting (XSS)
Privilege escalation
Unencrypted data
Untrained personnel
Misconfiguration
Inadequate policies
…
Cyber Vulnerabilities
Vulnerabilities
Source: https://www.riskbasedsecurity.com/2015/12/our-new-year-vulnerability-trends-prediction//13-Oct-16A reinsurer’s perspective on cyber-Mark Coss
Assets
A reinsurer’s perspective on cyber-Mark Coss
Cyber Security Taxonomy From threats to Insured Loss
Threats
Vulnera-bilities
Assets
Denial of Service (DoS)
Phishing
Social Engineering
Ransomware
Virus/Trojan/Worms
(Malware)
Espionage
Botnets
Zero-Day Exploits
Identity theft
…
Cyber Threats2015 World Map of Malware & Threats by Sophos
Source: © Sophos GmbH
Banking Trojan Remote Access Trojan (RAT)
Password Stealers
Download-Malware
Ransomware Spambots Others
Bootkits
Viruses
Worms
Scandinavia
RussiaCanada
USA
Columbia
Brazil
South Africa
Great Britain
Dach
Italy
Turkey
Saudi Arabia
China Japan
Australia
Hong Kong
Philippines
India
Malaysia
Singapore
Vulnerabilities
Assets
13-Oct-16
Cyber Security Taxonomy From Threats to an insured Loss
Threats
Vulnerabilities
Assets
Actors
Threat-
Matrix
Cybercrime Cyberkid Cyberwar and
Cyberspionage
Cyber-Terrorist Hacktivist
Motivation Money Fun, curiosity Strategic Ideologie/Religion Politics, Ethic
Choice of
targets
Individual, by
chance or
directly aimed
By chance,
political reasons
Individual,
collateral
ideological, anti-
western, collateral,
media-effected
Ideological and
political targets
Organisation Strongly
pronounced
Partially Perfect Regional Structured
Competence High Low-high Very high Low-high (external
help)
Middle-high
Source: https://www.europol.europa.eu/content/eu-serious-and-organised-crime-threat-assessment-socta
13-Oct-16A reinsurer’s perspective on cyber-Mark Coss
Cyber Security Taxonomy From Threats to an insured Loss
Threats
Vulnerabilities
Assets
Actors
13-Oct-16A reinsurer’s perspective on cyber-Mark Coss
Cyber Attack Life Cycle
2
Myth- Each cyber attack is different hence
prevention is impossible
• Old attacks (successful) used repeatedly
• Re-use of code amongst criminals
• Cyber attack process is exactly the same
• Recent examples
13-Oct-16A reinsurer’s perspective on cyber-Mark Coss
Cyber Attack ProcessSource: Cyber kill chain-Intelligence driven cyber defense-Lockheed Martin
13-Oct-16A reinsurer’s perspective on cyber-Mark Coss
Cyber Attack How does a targeted attack look like?
13-Oct-16
Espionage
Recon
Lure
A reinsurer’s perspective on cyber-Mark Coss
Cyber Attack How does a targeted attack look like?
13-Oct-16
Espionage
Recon
Lure
Intrusion
Redirect
Exploit
A reinsurer’s perspective on cyber-Mark Coss
Cyber Attack How does a targeted attack look like?
13-Oct-16
Espionage
Recon
Lure
Intrusion
Redirect
Exploit
Evolution
Dropper
Call Home
A reinsurer’s perspective on cyber-Mark Coss
Cyber Attack How does a targeted attack look like?
13-Oct-16
Espionage
Recon
Lure
Intrusion
Redirect
Exploit
Evolution
Dropper
Call Home
A reinsurer’s perspective on cyber-Mark Coss
Cyber Attack How does a targeted attack look like?
13-Oct-16
Espionage
Recon
Lure
Intrusion
Redirect
Exploit
Evolution
Dropper
Call Home
Attack
Data Theft
Denial-of-Service
Manipulate data
A reinsurer’s perspective on cyber-Mark Coss
Cyber Attack How does a targeted attack look like?
13-Oct-16
Espionage
Recon
Lure
Intrusion
Redirect
Exploit
Evolution
Dropper
Call Home
Attack
Data Theft
Denial-of-Service
Manipulate data
A reinsurer’s perspective on cyber-Mark Coss
13-Oct-16A reinsurer’s perspective on cyber-Mark Coss
Cyber Attacks on the world of finance
Bangladesh, March 2016: Central Bank Theftof USD$101 Million
3 Information Security Risk Management
13-A reinsurer’s perspective on cyber-
Accept- Cyber Attacks are a real threat
• Same risk irrespective of business size
• Increasing Board recognition of cybersecurity & privacy due to high profile
incidents e.g Target
• Increasing focus from regulators
• Cybersecurity incidents –YOY 34% growth & attacks average 200 days before
discovery
WHY?• Cultural : Acceptance no system is secure and consumer privacy concerns
• Technological: Cloud security and IoT
Source: 2015 TrustWave global security report: State of cybersecurity ISACA report 2015
Ponemon/IBM data breach study 2015
13-Oct-16A reinsurer’s perspective on cyber-Mark Coss
• Australia ranked 3rd for malicious URL’s/phishing attacks & 4th
globally for botnet infections (Source: Ponemon 2015)
• Average loss incurred by security breaches <US$3mio but figure is
for direct costs such as forensics, PR &legal. Third party liability
and damages would increase losses four fold.
• Time for businesses to discover a sophisticated cyber attack is
between 200 and 280 days
• 38% of mobile users have experienced cybercrime (Source:
Symantec 2014)
• In 2013, cyber attacks affected 5 million Australians at an
estimated cost of $1.06 billion (Source: Symantec 2013)
• 71% of incidents go undetected (Source: Trustwave 2014)
• 60% of SME’s close their doors <6 months of a cyber attack
(Source Experian, 2015)
Cyber Risk Landscape
13-Oct-16A reinsurer’s perspective on cyber-Mark Coss
Cyber Security FrameworkNIST- a comprehensive cyber security framework used by ASIC Report 429
13-Oct-16
Iden
tify •Asset management
•Risk Assessment
•Governance & Compliance
•Responsibilities
•Risk Management
•Procurement
•Working with external partners
•Recruitment
Pro
tect •User access control
•Awareness & Training
•Data Security
•Processes and Procedures
•Encryption
•Patch & change management
Det
ect •Security Incident Event
Monitoring (SIEM)
•Anti-Virus
Res
po
nd
& R
eco
ver •Incident Management
•Emergency Management
•Backup
•Disaster Recovery
•Business Continuity Management
A reinsurer’s perspective on cyber-Mark Coss
Cyber Security FrameworkNIST-a comprehensive cyber security framework used by ASIC Report 429
13-Oct-16
Iden
tify •Asset Management
•Risk Assessment
•Governance & Compliance
•Responsibilities
•Risk Management
•Procurement
•Working with external partners
•Recruitment
Pro
tect •User access control
•Awareness & Training
•Data Security
•Information protection processes and procedures
•Protection technologies
•Encryption
•Patch & change management
Det
ect •Security Incident Event
Monitoring (SIEM)
•Anti-Virus
Res
po
nd
& R
eco
ver •Incident Management
•Emergency Management
•Backup
•Disaster Recovery
•Business Continuity Management
A reinsurer’s perspective on cyber-Mark Coss
Cyber Security FrameworkNIST-a comprehensive cyber security framework used by ASIC Report 429
13-Oct-16
Iden
tify •Asset Management
•Risk Assessment
•Governance & Compliance
•Responsibilities
•Risk Management
•Procurement
•Working with external partners
•Recruitment
Pro
tect •User access control
•Awareness & Training
•Data Security
•Information protection processes and procedures
•Protection technologies
•Encryption
•Patch & change management
Det
ect •Detection processes
•Security Incident Event Monitoring (SIEM) & anomalies
•Security continuous monitoring
Res
po
nd
& R
eco
ver •Incident Management
•Emergency Management
•Backup
•Disaster Recovery
•Business Continuity Management
A reinsurer’s perspective on cyber-Mark Coss
Cyber Security FrameworkNIST- a comprehensive cyber security framework used by ASIC Report 429
13-Oct-16
Iden
tify •Asset management
•Risk Assessment
•Governance & Compliance
•Responsibilities
•Risk Management
•Procurement
•Working with external partners
•Recruitment
Pro
tect •User access control
•Awareness & Training
•Data Security
•Information protection processes and procedures
•Protection technologies
•Encryption
•Patch & change management
Det
ect •Detection processes
•Security Incident Event Monitoring (SIEM) & anomalies
•Security continuous monitoring
Res
po
nd
& R
eco
ver •Incident Management
•Emergency Management
•Backup
•Disaster Recovery (DRP)
•Business Continuity Management (BCP)
A reinsurer’s perspective on cyber-Mark Coss
4 Cyber Insurance
13-Oct-16A reinsurer’s perspective on cyber-Mark Coss
Cyber Insurance role is secondary to cyber
resilience
13-Oct-16A reinsurer’s perspective on cyber-Mark Coss
• First Party-reputational expenses, customer support for customer notification, advertising &credit card monitoring, data recovery, businessinterruption, investigation and legal costs, cyber extortion, clean-up of leaked data
• Third Party- technology professional services, multimedia liability, security and privacy liability, personal data liability, corporate data liability, civil & some criminal penalties, outsourcing risk
• Benefits- access to expert panel to manage cyber event and mitigate losses
• Loss of or damage to reputation/trust/brand
• Betterment costs to address vulnerabilities
• Physical Hardware loss/damage
• Loss of customers and jobs
• Loss in competitive advantage and
markets
• CBI from service interruption of critical infrastructure
• Under & uninsured losses (+policy
exclusions)
• Specific Intellectual Property e.g Patents
Risks Transferred & Service Benefits
Business and Residual Risk
Cyber ClaimsData Breaches and insured costs
13-Oct-16A reinsurer’s perspective on cyber-Mark Coss
Insurance Risk Transfer Solutions for SME’sStandalone cyber product to be main source of liability cover as exclusions in traditional policies become
more commonplace
13-Oct-16A reinsurer’s perspective on cyber-Mark Coss
Cyber insurance policy
3rd party Cyber Liability
Privacy Disclosure/Liability
Access Failure
Security Failure Intellectual Property
InternetCommunication and Media
Liability
Legal Counsel
Forensics
Notification Costs
Credit Monitoring
Cri
sis
Co
nsu
ltin
g
1st party Cyber Expenses
Business Interruption
IT Vandalism
Network Extortion
Electronic Theft
Internal Network Interruption
Administrative Fines
I.
Loss or Theft of
Data Coverage
(1st party)
II.
Confidentiality
Breach Liability
Coverage
(3rd party)
III.
Privacy Breach
Protection
Coverage
(1st party)
IV.
Privacy Breach
Liability Coverage
(3rd party)
V.
Payment Card
Industry Data Security
Standard (PCI-DSS)
Coverage
(1st party)
VI.
Business
Interruption
Coverage
(1st party)
VII.
Cyber
Extortion Coverage
(1st party)
VIII.
Network
Security Liability
Coverage
(3rd party)
IX.
Reputational Risks
Coverage (1st
party)
Munich Re modular wordingOverview of coverage elements
13-Oct-16A reinsurer’s perspective on cyber-Mark Coss
PRICING CYBER RISK PROBLEMATIC AT
PRESENT• Key problem is scarcity of data. While there are markets for assessments regarding loss
frequencies due to cyber related threats this is not the case for loss severities.
• The same holds for cyber related threats which are well covered by various parties (commercial as well as non-commercial). However, to turn knowledge about threats into the ability to quantify loss potential, historic threats and losses have to be matched systematically. As of today, this kind of data appears to be not available.
• external pricing models unavailable, no “buy” option -(RMS, AIR, Symantec, Cambridge…)
• MOTIVATION FOR DATA BASE PROJECT (NAIC for industry codes, Veris for cyber losses in US)
• Presently no mandatory requirements by ISA/APRA and unable to identify cyber experience in NCPD
• Presently mostly pragmatic methods used for pricing single cyber risk (i.e ROL, benchmarking)
• Mainly non-experienced based pricing methods used globally so far
• GIVEN VERY DYNAMIC TRENDS IN CYBER LOSSES AND RISK OF CHANGE PRICING PROFITABILITY IS NOT YET ENSURED
13-Oct-16A reinsurer’s perspective on cyber-Mark Coss
There are a number of threat modelling frameworks, designed to help
organisations understand cybersecurity risks in a formal, standardized way
Frameworks:
• STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of
Service, Elevation of Privilege)
• DREAD (Damage, Reproducibility, Exploitability, Affected users, Discoverability)
• OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation)
• CVSS (Common Vulnerability Scoring System)
• PASTA (Process for Attack Simulation & Threat Analysis)
Threat modelling frameworks
13-Oct-16A reinsurer’s perspective on cyber-Mark Coss
Veris Cyber data framework
13-Oct-16A reinsurer’s perspective on cyber-Mark Coss
APRA NCPDExisting industry data inputs not relevant to cyber incidents
13-Oct-16A reinsurer’s perspective on cyber-Mark Coss
QUESTIONS & ANSWERS
13-Oct-16A reinsurer’s perspective on cyber-Mark Coss
Just follow-up with us @ your convenience
Mark Coss
Cyber Threats and Loss data for Accounting
Services Sector
13-Oct-16A reinsurer’s perspective on cyber-Mark Coss
Cyber threats and loss data for Accounting
Services Sector(Source : Hiscox & Advisen)
13-Oct-16A reinsurer’s perspective on cyber-Mark Coss
Cyber Threats and Loss data for Accounting
Services Sector(Source: Hiscox & Advisen)
13-Oct-16A reinsurer’s perspective on cyber-Mark Coss
Cyber Threats and Loss data for Accounting
Services Sector(Source: Hiscox & Advisen)
13-Oct-16A reinsurer’s perspective on cyber-Mark Coss
Cyber Threats and Loss data for Accounting
Services Sector(Source: Hiscox & Advisen)
13-Oct-16A reinsurer’s perspective on cyber-Mark Coss
Cyber Threat and Loss data for Accounting
Services Sector(Source: Advisen)
13-Oct-16A reinsurer’s perspective on cyber-Mark Coss