Embed Size (px)
Citation preview
Systemic Cyber Risk and Cyber Insurance
February 14, 2018
MARSH
Questions
1. How big is the problem?
2. Have recent massive attacks affected the industry?
3. Where is the market headed?
4. How will government policy, regulation, and jurisprudence affect the issue?
MARSH
The Equation for Risk
R = VTCRisk is a product of
→ Vulnerability, how exposed are your data and network?→ Threat, how targeted are your cyber assets?→ Consequences, what is the impact of the event?
2
MARSH
“Business Blackout”Lloyd’s, July 2015
3February 9, 2018
Lloyd’s analyzed the effects of a major attack on U.S. power and utilities.
THESIS: A cyber attack on the U.S. power grid in the Northeast United States would result in the loss of lives, economic loss of as much as a trillion dollars, disruption of water and transportation, and potentially more than $70 billion in insurance clams.
• Total impact to the U.S. economy was estimated at $243 billion, but could top $1 trillion in the most extreme version of the scenario.
• A December 2015. attack on the Ukrainian power grid is acknowledged as the first cyber attack to cause a power outage.
A second power outage resulted from another attack a year later.
MARSH
Presidential Commission on Enhancing National CybersecurityApril - December 2016
4
• Followed up “Executive Order 13636: Improving Critical Infrastructure Cybersecurity” and “Presidential Policy Directive-21: Critical Infrastructure Security and Resilience”
• Offered 53 cybersecurity recommendations.
• Typical goals … increase awareness, more assessment … .
But know that …
• Even if industry was meeting a higher standard, it still could not protect itself from technological interdependency.
• Nontechnical aspects of cybersecurity are as important as cybersecurity technology.
• The U.S. government bears the ultimate responsibility …
… leads to regulation where public safety and security are at risk.
MARSH
Defining Systemic Cyber RiskWorld Economic Forum - October 2016
5February 9, 2018
What is “Systematic Cyber Risk”?
• We currently lack the common lexicon …
• Working definition …
1. Cyber event within critical infrastructure ecosystem
2. Cause significant delay, denial, breakdown, disruption or loss,
3. Consequences cascade into related ecosystem components
4. Significant adverse effects to public health or safety, economic security or national security.
MARSH
16 17 Sectors of Critical Infrastructure
6
DHS added “election systems in January 2017”
• Key Question:
Are you “Section 9?”
MARSH 7February 9, 2018
DYN - Vulnerability by Interdependency September / October 2016
• Internet of Things devices, built for basic consumer use, were used to create large-scale botnets—networks of devices infected with self-propagating malware—that executed crippling distributed denial-of-service (DDoS) attacks.
• Two large and complex DDoS against DYN’s Managed Domain Name System.
• October 2016 - Mirai Botnet Attack launches massive Distributed Denial of Services Attacks
• Affected approximately 145,000 domains (Twitter, Reddit, CNN, PayPal)
US-CERT, “Alert (TA-288a): Heightened DDoS Threat Posed by Mirai and Other Botnets,” (Oct. 17, 2016), https://www.us-cert.gov/ncas/alerts/TA16-288A
MARSH
The Fourth Industrial Revolution Expands the Attack Surface(i.e., No Wonder This Is Happening)
8
Currently there are more than 8 billion connected devices in operationBy 2020, there will be 21 billion connected devices, with half connecting to Industrial Control Systems.
MARSH
The Markets are Paying Attention As WellDecember 2016
9February 9, 2018
How likely is it that one systemic attack will impact multiple companies in the next 12 months?
AIG report defines Systemic Cyber Risk as an event “capable of impacting many companies at the same time.”
MARSH
Protecting Against Cyber Risk Aggregation
Source, AIR Worldwide
Tools to prevent cyber risk aggregation include
• Policy Language
• Underwriter Submissions
• External Assessments
Tracking “Silent Cyber”
MARSH
MONGO DBJanuary 2017
11February 9, 2018
• MongoDB is an open source platform used to store unstructured data.
• When installed with default settings, for example, MongoDB allowed anyone to browse the databases, download them, or even write over them and delete them.
• Ransomware attacks in January 2017 erased approximately 29,000 MongoDB databases.
Source: https://krebsonsecurity.com/tag/mongodb/
MARSH
Lloyd’s “Counting the Cost”July 2017
12February 9, 2018
• Designed to increase insurers’ and risk managers’ understanding of cyber-risk liability and aggregation.
• Analyzed the potential economic impact of two scenarios:
1. Hacktivist attack causes cloud-based customer servers to fail, leading to widespread service and business interruption.
Insured losses range from US$620 million for a large loss to US$8.1 billion for an extreme loss.
2. Disclosure of a widespread vulnerability for an operating system results in widespread attacks.
Losses range from US$762 million (large loss) to US$2.1 billion (extreme loss).
How much of the loss will insurance cover?
MARSH
Raising the Stakes of CybersecurityWannaCry and NotPetya
13February 9, 2018
• May 2017: Wanna Cry malware guicklyspread globally to infect more than 300,000 computers in 150 countries.
• In the UK, more than 80 National Health System hospitals were impacted.
• “North Korea has acted especially badly, largely unchecked, for more than a decade . . . WannaCry was indiscriminately reckless.”1
• Manufacturers, transport and logistic companies, pharmaceutical firms and utilities reportedly suffered over $1 billion in economic losses in the aggregate.
1“It’s Official: North Korea Is Behind WannaCry,” by Thomas P. Bossert, WALL STREET JOURNAL (Dec. 18, 2017). (accessed at https://www.wsj.com/articles/its-official-north-korea-is-behind-wannacry-1513642537).
MARSH
MELTDOWN and SPECTREJanuary 2018
14February 9, 2018
• Nearly every computer chip manufactured in the last 20 years contains fundamental security flaws.
• The flaws arise from features built into chips that help them run faster.
• Patches exist, but can impacts performance.
• No evidence of exploitation … yet
• So fundamental and widespread, security researchers the vulnerabilities catastrophic.
MARSH
IoT Regulation
• President Trump issued an order requiring Commerce and DHS identify actions to mitigate botnets.
• Sets five (5) goals for securing the IoT “ecosystem”:
1. Identify a clear pathway toward an adaptable, sustainable and secure technology marketplace.
2. Promote innovation in the infrastructure for dynamic adaptation to evolving threats.3. Promote innovation at the edge of the network to prevent, detect and mitigate bad behavior.4. Build coalitions between the security, infrastructure and operational technology communities
domestically and around the world.5. Increase awareness and education across the ecosystem.
15
MARSH
Market Transparency of Cyber Risk
16
• Thus far, little use of SEC enforcement power to regulate cyber risk
• On May 11, the White House mandated the development of practices and policies to promote “appropriate market transparency of cyber risk management.”
MARSH
Sector Specific Regulation
• Based on the NIST Framework, more sector specific agencies are requiring different protocols and practices.
• States are also adopting new cyber regulations
• Inevitably, the regulation of cybersecurity will set minimal practices of what is reasonably expected to protect systems and data.
• Failure of these minimal standards will lead to civil cyber liability.
17
MARSH
GDPR is Coming
18
Enhanced enforcement;
significant fines: 2-4% of global
revenue
Security breach
notification
Extraterritorial reach for EU data abroad
Individual rights
DPO requirements
Notice & consent
requirements
Restrictions on secondary
uses
Accountability& privacy
impact assessments
“The GDPR will change not only the European Data Protection laws but nothing less than the whole world as we know it.”
Jan Philipp Albrecht, Member of the European Parliament
MARSH
The Weakest LinkHuman Beings Remain a Systemic Vulnerability
91% of cyber attacks start with a phishing email.
- DarkReading, December 2016
19
Marsh is one of the Marsh & McLennan Companies, together with Guy Carpenter, Mercer, Oliver Wyman.
This document and any recommendations, analysis, or advice provided by Marsh (collectively, the “Marsh Analysis”) are not intended to be taken as advice regarding any individual situation and should not be relied upon as such. This document contains proprietary, confidential information of Marsh and may not be shared with any third party, including other insurance producers, without Marsh’s prior written consent. Any statements concerning actuarial, tax, accounting, or legal matters are based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as actuarial, accounting, tax, or legal advice, for which you should consult your own professional advisors. Any modeling, analytics, or projections are subject to inherent uncertainty, and the Marsh Analysis could be materially affected if any underlying assumptions, conditions, information, or factors are inaccurate or incomplete or should change. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Except as may be set forth in an agreement between you and Marsh, Marsh shall have no obligation to update the Marsh Analysis and shall have no liability to you or any other party with regard to the Marsh Analysis or to any services provided by a third party to you or Marsh.
Marsh makes no representation or warranty concerning the application of policy wordings or the financial condition or solvency of insurers or re-insurers. Marsh makes no assurances regarding the availability, cost, or terms of insurance coverage.
Copyright 2014. Marsh LLC. All rights reserved. Compliance MA14-13026
