Riekie Gordon & Roger Truebody & Alexandra Schudel · 4. Management is including cyber risk as a...

Actuarial Society 2017 Convention 17-18 October 2017

You’ve been hacked

Riekie Gordon & Roger Truebody &

Alexandra Schudel


Why should you care?

2

U$4.6 - U$121 billion

U$45 billion not covered

- Lloyds


The plot thickens…

3

2016 Barkly Survey: “It’s a business model that

works and you don’t need

a lot of investment to

actually get a decent

return,” Tim Wellsmore, of

Fireeye, a network security

company52% not planning security changes

33% of IT professionals hacked


SUPPLIERS

& PARTNERS

EMPLOYEES REPUTATIONAL DAMAGE

DATA LOSS

BUSINESS INTERRUPTION

EMAIL SYSTEM


4


AGENDA

1. Cyber drivers

2. Dealing with it

3. Integration

4. Transfer

5


Cyber drivers: If you only remembered

five things!

6

1. Introduced by connected technology, impact is primarily experienced at a business level

2. This is a pervasive risk, dealt with via programmes, not projects.

3. Management oversees risk, monitoring relevant policies and procedures, plays a significant strategic

role in overseeing and interrogating response to the cyber threat.

4. Management is including cyber risk as a regular agenda item (often as a “Top 5 risk”), are mandating

sub-committee’s (e.g. Risk, Audit)- to oversee management and response to this risk.

5. Management need to understand the defensive value chain and the link it to other macro business

developments.

refer to the impact factors of a cyber attack.


Social

engineering

PhishingBotnetsExploits

Ransomware

& doxxing

DDoS

Website

compromise

Password

theft

Evasion

tactics

Cyber drivers: Tools, tactics &

procedures

7


Understanding your threat landscape is the start

Suppliers

& partners

Employees

Mobile

devices

Smart

devices

Customers

Email

Cyber drivers: Threat vectors

8


What do you stand to lose?

Reality check: Examples

• R300 million ($19 million) from ATMs

• Social engineering

• Employees

• Lawsuits total $1 billion.

• Website compromise??

• Password theft

• Target CEO & head of technology fired

• Employees

• Password theft

9


Cyber drivers: Accountability

• Board level obligation to extend due care (King IV report)

• Personal executive accountability

Considerations:

• Measuring and managing it

• Confidentiality and regulatory frameworks

• Brand, reputation and market perception

• Security as a market differentiator

• Diffusion of commercial benefit

10


How were the Gupta

emails leaked?

Reality check: Examples

11


Dealing with it…10 Key questions

1. Do we demonstrate effective management of cyber risk?

2. Do we have the right leader and talent?

3. Do we have appropriate cyber risk escalation frameworks, risk appetite, and reporting thresholds?

4. Do we focused on, and invest in the right things? If so, we evaluate and measure the results of our decisions?

5. How do our cyber risk programmes and capabilities align to our peers?

6. Do we have a cyber-focused culture, organisation wide?

7. What have we done to protect the organisation against third-party cyber risks?

8. Can we rapidly contain damages and mobilise response resources when a cyber incident occurs?

9. How do we evaluate the effectiveness of our organisation’s cyber risk programme?

10. Are we a strong and secure link in the highly connected ecosystems in which we operate?

Refer to “Assessing cyber risk - Critical questions for the Board and C-suite”.


In our response/approach, how have we considered:

• Action plan

13

Cyber program & governance

Possible tactics

What are they after

Who might attack

Dealing with it…


Risk Management driven CYBER SECURITY, MEANS THAT Risk exposure dictates the allocation of budget

and effort

Dealing with it…

14

Integrate cyber

strategy with

business strategy

Protecting the heart

of the business, critical

operations

Identify and

protect your crown

jewels, data

Don’t allow gaps to

leave you exposed

Develop a strong

cybersecurity framework

Non-negotiable

areas to fortify

Security starts at the top: Put a

senior executive

at the helm


Managing cyber risks:

• Action plan

15

Dealing with it…

Your actual defences against an attack, including everything from cybersecurity strategies to policies and procedures to systems and controls.

Your early warning systems, which enable you to identify potential threats before they hit, and to quickly detect attacks and breaches as they occur.

Your ability to respond quickly to attacks, and to bounce back quickly with minimal impact on your organisation, reputation and brand.

Secure Vigilant Resilient


Integration

16

Bu

llet

Da

sh

Su

b-b

ullet

Processes &

procedures Risk Appetite

Risk/ ORSA

policy

SAM / ERM

framework

Measuring /

quantifying

Risk RegisterReporting

structures


The Insurance Involvement

Broker/ Benchmark

Insurer - Incident Response Platform

Risk Management/ Simulations/ Environment Analysis

17


What was clearly affected? Define strategy

What information do we have? Where is it? Pathways?

Type of attack Pre-defined strategy

Cyber event: the first 24 hours

1. Pre Event: risk profile analysis and landscape analysis

2. Pre-Event: artefact collection – digital footprint

3. Event: analysis of actual incident

18


IT ForensicsFirst

notification of

loss

Regulatory

NotificationExtortion

Public

Notification

Public

Relations

Incident manager

Identity

protection

Legal

Incident Response Network

19


Privacy Liability

The Coverage

Wrongful disclosure of

personal & corporate

information

• Defence Expenses

• Legal Liability

• Regulatory Defence Expenses

• Privacy Related Fines/Penalties

20


Security Liability

The Coverage

Failure to deter a

Computer Malicious

act

• Defence Expenses

• Legal Liability

• Regulatory Defence Expenses

• Privacy Related Fines/Penalties

21


Incident Response costs

The Coverage

Incident Management,

Forensic Investigation,

Notification,

Fraud Remediation,

Legal Consultation,

Public Relations,

22


Internet media liability

The Coverage

Electronic Media Content

Defence Expenses & Legal liability for:

• IPR infringement

• Defamation/Libel/Slander

• Negligence

23


Cyber Extortion

The Coverage

Expense & Extortion payments

arising from threats to exploit

vulnerabilities or release information

- Ransomware

24


DATA ASSET LOSSBUSINESS INTERRUPTION

The Coverage

&

Business Income Loss

and Recovery Costs

arising from network

outage…

25



The Coverage

&

Recovery Costs to deal

with loss/corruption of

data…

26



The Coverage

&

… Caused by

• Computer Malicious Acts

• Malware & Hacking

• Unauthorised Use or Access

• Programming/ Human Error

• Power Failure

27


Claims examples: Ransomware

• Car components manufacturing company

• Malicious link

• Malware, encrypting information

• Demand R100,000

• Incident response manager

• IT forensic investigator

• Determine whether the company can avoid paying the ransom

Network Security Liability• Failure of insured’s network security

Cyber Extortion:• Costs addressing threats unless extortion

monies are paid.• Information technology consultant fees

Data Asset Loss • Costs of replacing lost/ corrupt data

Incident Response Expenses• Forensic investigation costs• Legal consultation fees• Incident Response Manager fees

28


Claims examples: Disparagement via

email

• Internal email containing negative comments regarding a service provider

• Forwarded internally and eventually sent externally

• The email is seen by the service provider

• Defamation lawsuit for harming the service provider’s reputation

Media Liability:

• Third party claims arising from Insured’s Internet

media activities.

• Wrongful Acts include product defamation,

disparagement, trade, libel, false light,

plagiarism.

• Defence and settlement costs for claims from

service provider.

Incident Response Expenses

• Crisis communication services

• Public relations expert fees to minimise

reputational impact

• Incident response manager fees

29


Claims count by trigger

Hack 30%

Human error 18%

Lost/Stolen devices 15%

Rogue Employees 12%

Unknown 12%

Privacy Policy 6%

Paper 5%

Software Error 2%

30


Claims count by industry

Healthcare 31%

Professional Services 15%

Technology 10%

Retail 8%

Financial Institutions 8%

Education 7%

Travel & Hospitality 6%

31


Cyber Claims and Industry Trends

Triggers by Industry Segment

0%

5%

10%

15%

20%

25%

Hack Rogue

Employee

Lost/Stolen

Devices

Human

Error

Privacy

Policy

7%

25%

18%21%

10%

Healthcare

0%

10%

20%

30%

40%

Hack Rogue

Employee

Lost/Stolen

Devices

Human

Error

Privacy

Policy

37%

7%

19%

13%6%

Financial Institutions

32


Cyber Claims and Industry Trends

Triggers by Industry Segment

0%

5%

10%

15%

20%

25%

30%

Hack Rogue

Employee

Lost/Stolen

Devices

Human

Error

Privacy

Policy

23%

10%

26%

20%

5%

Professional Services

0%

20%

40%

60%

80%

Hack Paper Human

Error

Unknown Privacy

Policy

64%

7% 11% 7%12%

Public Entity

33


What is not covered?

• Deliberate fraud/ dishonesty (final adjudication) – Rogue Employees

covered

• Bodily Injury or Property Damage

• Internet service provider hosting your website (unless under your

control)

• Acts of war – Cyber Terrorism is covered

• Unauthorised collection of Personal Data – unintentional is covered

• Equipment/ hardware

34


Considerations

• Capacity available in the market

• What limit is appropriate

• Quantification

• Follow on D&O claims

• Complex to understand – fear of IT

35


Considerations cont.

• Condition Precedent language – beware

• Systemic breaches a possibility

• Scale of losses for insurance market

• What is needed to quote

36


• According to PwC’s report Global Economic Crime Survey 2016, 32% of

South African organisations have experienced cybercrime, and it is the

fourth most reported type of economic crime in the country, and second

internationally.

37



38

Take it seriously


So what…

• Do you understand your risk?

• How much exposure do you have?

• Do you need to change controls or be more pro-active

about training or cyber-watch?

• The risk is not going away, are you prepared?

39

Riekie Gordon & Roger Truebody & Alexandra Schudel · 4. Management is including cyber risk as a...

Documents

Transcript of Riekie Gordon & Roger Truebody & Alexandra Schudel · 4. Management is including cyber risk as a...