Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Cybersecurity Risks: Insurance Solutions
December 8, 2017
Naureen Rasul – Regional Financial Institutions Industry Leader, Asia
MARSH
Cyber Risk: Asia-Pacific In NumbersSource: MMC Cyber Handbook 2018
1
MARSH 2
Cyber Risk: A Higher Threat Potential In Asia-PacificSource: MMC Cyber Handbook 2018
MARSH
Cybersecurity is no longer just an IT
department issue�
3
MARSH 4
Who Is Affected In A Cyber Breach?
MARSH
Operational Disruption
Employee Exposures
Lawsuits and Reputational Harm
Regulatory and Legal Implications
How Do Cyber Risks Impact Your Organization?
5
MARSH 6
What Are The Most Targeted Business Sectors?Source: 2017 NetDiligence Cyber Claims Study
Education4%
Financial Services13%
Healthcare18%
Hospitality4%
Nonprofit8%
Professional Services18%
Retail11%
Technology7%
All Others17%
MARSH
• Personal information
• Credit or debit card information
• Funds
• Intellectual property
• Disruption to critical infrastructure
• Economic impact
• Loss of life
• Damage to property
TERRORIST OR STATEThe ability to create physical outcomes throughthe use of remote hacking of criticalinfrastructure represents an appealing optionfor terrorist groups.
CRIMINALHacking has become a mainstream activity fororganized crime, targeting digital assets of anorganization that can be acquired or sold on.
HACKTIVISTHacktivists represent a formidable foe due tothe technical capability of the individualsinvolved and can target organizations for avariety of reasons.
• Public support for a cause
• Direct impact of core activity
• Corporate or industry-wide scandal
• Top corporate brand target
MALICEWhere technical ability and motive combine,those who bear the organization ill are able toact maliciously by electronic means.
• Disgruntled employee or customer
• Proof of ability
• Untargeted malicious code
• Random selection
7
What Is The Threat Environment?
MARSH
85%
The number of executives who said that their company experienced acyber attack, information theft, loss or attack in the last 12 months.
8
What Are The Cyber Statistics?Source: 2016/2017 Global Fraud & Risk Report - Kroll
MARSH
16%
20%
22%
22%
26%
Employee malfeasance
Theft of device containing data
Attack against corporate website
Employee error/accident
Attack using software vulnerability
9
26%
22%
22%
20%
16%
How Do Cyber Incidents Happen?Source: 2016/2017 Global Fraud & Risk Report - Kroll
MARSH
Joint venture partners
Competitors
Customers
Vendors/suppliers
Permanent employees
Agents and/or intermediaries
Freelance/temporary employees
Ex-employees 20%
13%
10%
7%
7%
14%
6%
6%
Who Are The Perpetrators?Source: 2016/2017 Global Fraud & Risk Report - Kroll
10
MARSH 11
Who Has Data Privacy and Breach Disclosure Regulations?Source: MMC Cyber Handbook 2018
MARSH
MEXICO
HONDURAS
COLOMBIA
VENEZUELA
CUBA
GUATEMALA
BRAZIL
BOLIVIA
PERU
ARGENTINA
CHILEPARAGUAY
URUGUAY
ECUADOR
CANADA
ALASKA(USA)
GREENLAND
RUSSIA
GERMANY
NORWAY
SWEDENFINLAND
UK
FRANCE
SPAINPORTUGALITALY
POLAND
GREECE TURKEY
CZECH REP.AUSTRIA
UKRAINE
BELARUS
ICELAND
IRELAND
MOROCCO
ALGERIA LIBYAEGYPT
BULGARIA
ROMANIA
MAURITANIAMALI
WESTERNSAHARA
NIGERCHAD SUDAN
ETHIOPIA
SOMALIA
ERITREA YEMEN
OMAN
SAUDIARABIA
IRAQSYRIA
JORDANISRAEL
SENEGAL
GUINEABURKINA FASO
NIGERIA
CAMEROON
CENTRAL AFRREPUBLIC
DEMOCRAT. REP. OF THE CONGO
ANGOLA
NAMIBIA
SOUTHAFRICA
BOTSWANA
ZIMBABWE
ZAMBIA
MOZAMBIQUE
MADAGASCAR
TANZANIA
KENYAGABONCONGO
TUNISIA
KAZAKHSTANMONGOLIA
CHINA
TURKMENISTAN
IRAN
UZBEKISTAN
AFGHANISTAN
INDIA
PAKISTAN
JAPAN
NEPAL
TAJIKISTAN
KYRGYSTAN
THAILAND
MALAYSIA
INDONESIA
AUSTRALIA
PHILIPPINES
PAPUANEW GUINEA
NEWZEALAND
SALOMONISLANDS
VANUTA
NEWCALEDONAI
FIJI
VIETNAM
SOUTHKOREA
NORTHKOREA
LAOS
PANAMA
DOMINICANREP.
GUYANA
SURINAMEFRENCH GUIANA
EL SALVADORNICARAGUA
BELIZE
COSTA RICA
GEORGIA
U.A.E.
CAPVERDE
FALKLANDISLANDS
BANGLADESH
CAMBODIA
MYANMAR
BHUTAN
SOUTHSUDAN
UNITED STATES OF AMERICA
LITH
SWI
CYP
SLOK
NETH
BELLUX
HUN
TAIWAN
TRINIDAD & TOBAGO
LATVIA
THE BAHAMAS
BARBADOS
MALTA
BAHRAIN
MOLDOVA
DENMARK
BEN
TOGOGHANA
IVORY COAST
SL
EG
DIB
PUERTO RICO
■ Notification Required
■ Notification Not Required but Certain Action Required or Recommended
■ Notification Not Required
What Are The Breach Notification Requirements?
12
MARSH
Policies Terms and Conditions
MARSH
Discovery can come about several ways:
• Self discovery
• Customer inquiry or vendor discovery
• Call from regulator or law enforcement
Forensic Investigation and Legal Review
• Forensic tells you what happened
• Legal sets out options / obligations
DISCOVERY
LONG-TERM CONSEQUENCES
EXTERNAL ISSUES
FIRST RESPONSES
Income LossDamage to
Brandor Reputation
Regulatory Fines, Penalties and
Consumer Redress
Civil Litigation
Public Relations Notification Remedial Service Offering
How Does A Simplified Data Breach Timeline Look Like?
14
MARSH
Network Business Interruption• Loss of Revenue• Incurring of Operating Expenses / Extra
Expenses
Data Asset Restoration
Crisis Management• Forensic Investigations• Notification Costs• Account / Credit Monitoring Costs• Public Relations Costs
Cyber Extortion• Ransom Payments• Rewards Payments
Regulatory Investigation• Legal & Regulatory Advice Costs• Investigation Costs• Fines & Penalties (where insurable)
First Party Costs and Other Expenses
Third Party Liability and Defense Costs
Media Content Liability• Legal / Defense Costs• Damages
Third Party Liability• Privacy and Data Breach• Failure of Network Liability• Damages and Defence Costs
15
Policy Terms And ConditionsKey Insuring Clauses
Case Studies
MARSH 17
Recent Cyber Attacks in Asia-PacificSource: MMC Cyber Handbook 2018
MARSH 18
THAILAND MOST PRONE TO ENCRYPTION-RELATED CYBER ATTACKS IN
THE REGIONNovember 2016 – BusinessInsider
KASPERKSKY REPORT NEARLY 62,000 CYBER ATTACKS IN THAILAND
IN Q2 2017August 2017 – Thaitech
HIGH ALERT OVER GLOBAL ATTACKS, INCLUDING THAILANDMay 2017 – The Nation
ANONYMOUS HACKS THAI NAVY, MINISTRY OF FOREIGN AFFAIRSDecember 2016 – HackRead
Other HeadlinersThailand In The News
THAI MOBILE OPERATOR SUFFERS DATA BREACHSeptember 2016 – QUANN
NEW RIPPER MALWARE FUEL THAI ATM ATTACKSAugust 2016 – BankInfoSecurity
DATA BREACH REVEALS EXPAT DETAILS IN THAILANDMarch 2016 – Channel NewsAsia
MARSH
• February 2015 – Criminals hacked into its servers and stoleover 78M records containing personal information.
• Attack exposed addresses, birthdays, emails, employmentinformation, income data, names and Social Securitynumbers.
• Hacker “spear-phished” the employees, led them to fakewebsites, stole and then used their credentials to access thecompany’s systems.
• All business units were affected and the hack have gone onfor over 10 months.
• January 2017 – Law enforcement officials announced thathacker was acting on behalf of a foreign government.
• Settlement costs include $2.5M for expert consultants,$115M for implementation of security improvements, $31Mfor notification to affected individuals, and $112M for creditprotection to impacted customers.
19
Is there coverage under a cyber liability policy?
Case Study – Stolen Records (Insurance Company)
MARSH
• Hackers held the company’s database, files, systems anddevices hostage via encryption.
• They then demanded that the company pay a $4Mransom in cryptocurrency in exchange for the decryptionkey.
• More than 150 Linus-based servers were infected andthe attack affected about 3,400 business websites andtheir hosted data.
• After 8 days of negotiations, the company finally agreedto pay the $1M ransom.
• Ransom amount had to be paid in three installmentsbecause the company had insufficient funds.
• The company is expected to make the final paymentonce all the servers from the first and second payoutshave been restored.
Case Study – Ransomware (Web Hosting Company)
Is there coverage under a cyber liability policy?
20
MARSH
• Group of Eastern European criminalshacked into a bank’s ATM network.
• July 2016 – Malicious malware attackedthe cash machines run by a bank inBangkok and 5 other provinces.
• Malware instructed the ATMs to spewcash on demand in lots of 40,000 Baht.
• The bank immediately deactivated about3,000 ATMs across the country.
• According to the CEO’s public statement,all ATMs are expected to be back onlinewithin the month.
• During the infected period, the criminalsstole a total of 12.29M Thai Baht.
Crime Insurance Professional Indemnity
Cyber Insurance Directors and Officers Liability
21
Case Study – Malware (Bank)
MARSH
Underwriting Cyber Risks
MARSH
Basics • Number and type of records• Revenue• Industry
Culture • Management dedication to data management• Board approved data management policies
Records Management • Detect – Type and amount of information• Protect – How is data protected• Plan – Board approved information security program
Network Operations • Patch management, backup and testing• Review of network and security assessments• Volume and activity
Vendor Management • Due diligence of service providers• Contract management
Regulatory Compliance • Number and types of regulation• How long compliance has been achieved
Loss Experience • Number of losses suffered
What Do Underwriters Look For?
23
MARSH 24
Questions?
MARSH