Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches, and Privacy Invasion
Gregory L. Goetz
Scripps Networks Interactive Inc.
9721 Sherrill Blvd Knoxville, TN 37932
Gregory L. Goetz currently serves as the Vice President of Risk Management for Scripps Networks Interactive, Inc. - a cable and satellite network television media company operating six (6) cable networks under the names Food Network (FN), Home and Garden Television (HGTV), The Travel Channel (TC), Do It Yourself Network (DIY), The Cooking Channel (CC), and Great American Country (GAC) - where he specializes in enterprise-wide risk management practices identifying emerging opportunities and trends while minimizing downside risk through a strategic and integrated collaboration with identified risk owners and key stakeholders, with specific emphasis on network security and privacy risk management processes. Greg has expert knowledge of all commercial insurance policies, particularly directors and officers, media liability, network security and privacy, along with various other alternate risk transfer programs.
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 3
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches, and Privacy Invasion
I. Introduction ...................................................................................................................................................5 II. Presentation....................................................................................................................................................5
Table of Contents
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 5
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches, and Privacy Invasion
I. IntroductionAs individuals, businesses, and governments become increasingly dependent on technology, chal-
lenges associated with cyberliability, cyberterrorism, ransomware, and intellectual property protection have become the new normal. And, with the popularity of devices such as Amazon Echo and Google Home, con-cerns regarding the impact of these and similar technologies on personal privacy are prevalent. Greg Goetz will challenge you to consider the ever-present data breach and privacy invasion threats faced by individuals and organizations as we continue into the digital age, and will examine the availability of insurance coverages to afford protection when inevitable liabilities arise.
II. Presentation
Gregory L. Goetz, C.P.C.U. A.R.M. Vice – President, Risk Management Scripps Networks Interactive, Inc
1
What Can Go Wrong In The Digital Age? Cyber Threats, Data Breaches, and Privacy Invasion
Defense Research Institute – October, 2017
Source: iStock Photos
6 ■ Annual Meeting ■ October 2017
Media and entertainment company operating six (6) cable, satellite networks in the USA
Poland, London, Singapore, Brazil, Italy, New Zealand
2
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 7
◦ I am not a lawyer
◦ My comments and conclusions - not those of Scripps
◦ Licensed insurance agent and 30 years corporate risk
management experience
3
8 ■ Annual Meeting ■ October 2017
Presentation Overview and Deliverable:
◦ What is happening today – threats constantly evolving and events continue to occur
◦ Insurance coverage and uncovered exposures
◦ What will happen tomorrow – connected devices, driverless cars and smart homes, risk aggregation and perhaps ‘Cloud Armageddon’
Can we manage and keep pace with technological change?
More questions than answers. Many matters have not been litigated
‘Litigation is on the Way’
4
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 9
5
What Can Go Wrong ? Plenty!
Source: Getty Images
10 ■ Annual Meeting ■ October 2017
‘Cybercrime is a huge global problem due to the Internet of Things (IoT) and inter-networking of physically connected smart devices. More attacks are growing and crime groups are now working together. Unfortunately, cybercrime is very profitable, costing the world $600(AUD) billion globally’
◦ Eugene Kaspersky, Chairman and CEO of Kaspersky Lab
http://thefinancialexpress-bd.com May 24, 2017 6
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 11
Copyright GLG, LLC. 2014 All Rights Reserved 7
12 ■ Annual Meeting ■ October 2017
8
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 13
AP Moeller – Maersk Website July 2, 2017 9
14 ■ Annual Meeting ■ October 2017
Early threats were mainly hackers or ‘hacktivists’ looking to deface or
take websites offline. More for fun and disruption ◦ Today it is about business disruption, extortion, ransom
Some credit card numbers, PII, and other information compromised but not to be sold on the black market, etc. ◦ There is now a thriving black market with data being bought and sold
Relatively few terrorists or state sponsored actors ◦ Terrorism or interference by state actors, governments is here to stay
The loss frequency and severity not high ◦ Losses continue to escalate despite increased spending on security
Few, if any, cyber insurance products or cyber related insurance policy exclusions
10
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 15
Technology is changing the risk profile Innovative technology is going to disrupt the insurance market New Technology
◦ SaaS, BYOD, mobile devices, VPN, online banking, the cloud, apps for
downloading, Blockchain, Artificial Intelligence
Threats constantly evolving ◦ Ransomware, state actors, terrorism, social engineering, multiple vendor
access points, IoT Impact – higher frequency, higher severity, more risk aggregation
11
16 ■ Annual Meeting ■ October 2017
We’ve heard these statements: ◦ ‘The largest ‘taxi’ company owns no vehicles’
◦ ‘The largest room accommodator owns no property’
◦ ‘The largest media entity owns no content (yet)’
Don’t know if these statements are true but technology is
- and will continue to be - a great disruptor
12
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 17
World Economic Forum, Global Risk Report 2017 12th Edition 13
3.2 3.15
3.3
3.53
3.8 3.8
3.9
4.16
4.3
4.38
3.0
3.2
3.4
3.6
3.8
4.0
4.2
4.4
4.8 5.0 5.2 5.4 5.6 5.8 6.0
Neg
ativ
e Co
nseq
uenc
es
Benefits
Geo-engineering
Proliferation and ubiquitous presence of linked sensors
Artificial Intelligence
Blockchain
Virtual and augmented reality
Nanotechnology
Space technology
New Computing Technology
3D Printing
Energy capture storage and transmission
Emerging Technologies - Benefits and Consequences
18 ■ Annual Meeting ■ October 2017
Cyber Breach Events Continue to Occur Despite Spending and Awareness on Cyber-Security
14
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 19
Estimated spending on cyber security = $75 billion
But cyber crime alone costs $400 billion (USD)
And mirrors the legitimate growth of the digital economy at
$4.2 trillion Are we getting maximum value for the spend on security?
Lloyds Report – Closing the Gap, Insuring Your Business Against Evolving Cyber Threats July, 2017 (1) http://www.gartner.com/newsroom/id/3135617
(2)https://www.bcg.com/documents/file100409.pdf 15
(1)
(2)
20 ■ Annual Meeting ■ October 2017
0
1
2
3
4
5
6
Category 1 Category 2 Category 3 Category 4
Series 1
Series 2
Series 3
Copyright GLG, LLC. 2014 All Rights Reserved 16 FBI Internet Crime Report 2016
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 21
$115,000,000 to plaintiffs
$38,000,000 to plaintiff attorneys
$30,000,000 (estimated response costs)
$20,000,000 (estimated security upgrades per the settlement agreement)
Other costs to be determined
17
22 ■ Annual Meeting ■ October 2017
‘PAST’ CYBER EVENTS (Generally >12 months ago)
18
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 23
19
Water supply hacked and contaminated - March 2016 Power grid hacked in Ukraine –
December 2015
German building control system hacked, overloaded, caused explosion - December 2014 Baby Monitors Hacked
DNC hacked – elections at risk – July 2016
Source: Getty Images
24 ■ Annual Meeting ■ October 2017
20
Pirates allegedly successfully hacked into the computer-held cargo logs of a vessel carrying many large ocean cargo containers The pirates could then determine precisely which container held the most valuable cargo Upon boarding the vessel the pirates could then raid those those pre-identified containers with laser focus
Source: www.foxnews.com – From High Tech to High Seas, Pirates Hack Shipping Company, James Rogers March 2, 2016
Photo Source: Getty Images
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 25
RECENT CYBER EVENTS (Generally <12 months ago)
21
26 ■ Annual Meeting ■ October 2017
22
$350 Million – M&A Impact
Doll that records conversations now classified in Germany as ‘Illegal Espionage Apparatus”
Employee error shuts down some AWS service
DDoS caused by IoT
‘Orange is the New Black’ Programs held for ransom
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 27
British Airways
23
Bank of Bangladesh
Several insurers sue GPS maker for faulty weather reports, leading to sinking
System failure leads to widespread outage New cyber security regulations
Negative security research report
Largest bank heist ever – almost $1B
El Faro Sinking
28 ■ Annual Meeting ■ October 2017
New Technologies: (IoT exploding) Ransomware: (Wanna Cry hits 75 + Countries) (Petya/NotPetya causes wide-spread outage) Fraud E-mail/Wire Transfers: (Swift almost cost $1B) Software Errors/Omissions: (Ship owner sues GPS for sinking) The Human Element: (Amazon employee ‘fat finger’)
Cyber-terrorism, War, Nation State Tools: (Just a matter of time?) Changing Laws, Rules, Court Opinions: (FTC, SEC, 50 states, NY State) Denial of Service: (Iot connected devices flood Dyn) Supply Chain: (Loss of power grid or major cloud provider) Artificial Intelligence: (What will be the overall impact?)
24
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 29
Hooligan’s biker gang steals 150 Jeep Wranglers using stolen codes and key designs
Staked out Wranglers to copy VIN numbers then compromised the proprietary Jeep data-base to steal a copy of the key design and codes based on the VIN
Armed with the fake key they used a cheap electronic hand device to pair the key to the car’s computer device
150 cars stolen costing approximately $4.5 million
Just how secure are cars? Will driverless cars become easy targets? ‘How Hacked Computer Codes Allegedly Helped a Biker Gang Steal
150 Jeeps’ by Hamza Shaba, Washington Post, June 1, 2017 25
30 ■ Annual Meeting ■ October 2017
Ponemon Research Report: Medical Device Securiy – An Industry under Attack and Unprepared to Defend, May, 2017 26
67% of health care equipment device makers expect a cyber attack on their device in the next twelve (12) months
56% of health care organizations expect a cyber attack on their organizations in the next twelve (12) months
59% of equipment device makers have little confidence adequate security protocols and architecture are built into the device(s)
Only 33% of device makers encrypt data traffic among the IoT devices
Only 29% of health care organizations encrypt data from the Iot devices
31% of device makers are aware that an event or harm to patients due to insecure medical device has already occurred
40% of device makers are aware that an event or harm to patients due to insecure medical device has already occurred
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 31
The case of St. Jude Medical and Muddy Waters Capital, LLC.
Muddy Waters engaged a security firm (MedSec Holdings) to evaluate the security of St. Jude heart defibrillators
MedSec’s report found security vulnerabilities in the defibrillators
Muddy Waters Capital, LLC had taken short positions in St. Jude Medical stock, meaning it would capitalize if the stock price dropped
St. Jude was later acquired by Abbott Laboratories who issued a patch in partnership with the FDA which confirmed the vulnerability
Should Muddy Waters have taken a short position on a security vulnerability?
Should Muddy Waters have gone directly to St. Jude?
27
32 ■ Annual Meeting ■ October 2017
Settlement language proposes Muddy Waters not disclose future Abbott product cyber-security flaws to FDA or Homeland Security unless subpoenaed
"MW hereby rejects your noxious settlement proposal that attempts to gag us and [other researchers] from assisting FDA, DHS," ◦ (Muddy Waters wrote on Twitter on Thursday afternoon, referencing the Food and Drug
Administration and the Department of Homeland Security) • Abbot maintains settlement language also contains reference to
not interfering with any government inquiry or investigation
Is this the next ‘bug bounty’ exposure – locate a cyber-security flaw, short the stock, then go public with the flaw?
28
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 33
Started over the release of the movie The Interview (Intellectual Property Asset)
Likely North Korean state sponsored terrorism (State sponsored actor)
Intent was to disrupt business and business processes (Business Income Loss)
Damage to data, systems, software, programs (Physical loss to data assets)
Release of sensitive PII information of past and current employees (PII)
Threats made to employees and family members (Loss of morale)
Damaging internal e-mail of executive officers released (Reputational Loss) Sensitive information of talent and other third parties released (PII)
Sony CEO was terminated (Careers harmed)
29
34 ■ Annual Meeting ■ October 2017
IoT and Privacy Watch out!
30
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 35
FTC’s Consumer Sentinel Network Data Book, February 2016 31
325,519
551,622
713,657 860,383 909,314 906,129
1,070,447
1,261,124
1,428,977 1,470,306
1,898,543
2,115,079 2,175,912
2,633,697
3,140,803
3,050,374
0
500,000
1,000,000
1,500,000
2,000,000
2,500,000
3,000,000
3,500,000
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016
Total Complaints
Consumer Complaints Up Across the Board!
36 ■ Annual Meeting ■ October 2017
“Frenchman Sues Uber for $48 Million - App Glitch He Says Made his Wife Suspect He Was Cheating” ◦ Frenchman wife’s phone to summon a Uber ride ◦ Claims to have signed out of the Uber app but it continued to record his Uber trips
on his wife’s phone ◦ Wife suspected an affair and filed for divorce
Your ‘Smart TV’ Might be Smarter Than you Think
◦ Vizio pays $2.2M to settle charge by the FTC its software collected television
owner’s viewing data without knowledge or consent ◦ FTC alleged PII data removed but IP addresses supplied to data aggregators to
match TV viewing habits with personal information like age, sex, income, marital status, education, etc.
◦ Vizio collected up to 100 billion anonymized viewing data points each day from its TV’s
◦ Now provides clear notice and opt-out consent with instructions
32
(1)
(1) The Washington Post, February 13, 2017 (2) New York Times OnLine February 2, 2017
(2)
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 37
Siri, Cortana, Alexa – What are they collecting? ◦ Man found dead inside home connected to Alexa – did it record conversation? ◦ Police may subpoena records related to murder
IoT Devices Inside Personal Vehicles ◦ “Black Box” inside newer cars will track and record data ◦ Rental cars can capture your cell phone data when synced via UBS cord ◦ Consider the future for litigation: What information of value will the ‘Black Box’ contain for litigation purposes What about litigation holds – how will the evidence be preserved
Bose Corporation ◦ Privacy class-action lawsuit alleging Bose records and keeps customer’s listening
habits without permission violating wiretapping law(s) ◦ Bose Connect – a free software app that helps consumers download and listen to
favorite music
33
38 ■ Annual Meeting ■ October 2017
Beware the EU Global Data Protection Regulation (GDPR) ◦ Takes effect May, 2018
◦ Wide and sweeping privacy and security regulation
◦ Heavy focus on consumer choice: right to be forgotten, upfront consent to
collect data, consumer right to have all records destroyed, etc.
◦ Significant fines for non-compliance (up to 4% of global revenue)
◦ Any US business targeting an EU consumer falls under this new regulation
Other FTC Privacy Matters of Interest: ◦ FTC vs. Turn, Inc. ◦ FTC vs. D-Link Corporation
34
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 39
35
What Could Go Wrong? The Insurance!
Source: iStock Images
40 ■ Annual Meeting ■ October 2017
Will insurance coverage keep up with the changing exposures? ◦ The pace of change in technology and litigation will exceed the industry’s
ability to model, price, and write policy coverage forms
Can insurance companies underwrite and price the risk given the constant change and loss aggregation? ◦ The aggregated risk modeling needed for cyber interconnected exposures
does not exist
Many policy forms have not been litigated ◦ “THERE ARE OVER 67 DIFFERENT CYBER INSURERS WITH 67 DIFFERENT
APPLICATIONS, SUBMISSIONS, PROCESSES, UNDERWRITING, POLICY FORMS AND CLAIMS HANDLING PROCESSES’
KEVIN KALINICH – AON CYBER PRACTICE LEADER
36
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 41
The insurance industry can place up to $500 million - $600 million cyber coverage (generally) on any one risk
Some large organizations should be able to get up to $500 million to $1billion (or more)
Retailers and other large credit card handlers have difficulty securing
adequate limit for PCI-DSS related risks and will have sub-limited coverage
Many other policy sub-limits may apply, such as for notification costs
Insurers are wary about risk concentration and risk interconnections
Will there be enough capacity to fully cover all cyber related risks
37
42 ■ Annual Meeting ■ October 2017
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
80.00%
90.00%
Pure Loss Ratio
Defense and Cost
Containment
Expense Ratio
Adjusting Expense
Overall Combined
Ratio
Profit
11.5% Profit
47.1%
10%
28.7
2.7%
Aon: Cyber Update, 2016 Cyber Insurance Profits and Performance Report May, 2017 – Stand Alone Cyber Statutory Filings 38
88.5%
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 43
Cyber risk impacts? What insurance is available? What insurance is unavailable? What are the coverage issues and concerns?
39
44 ■ Annual Meeting ■ October 2017
40
Regulatory Action
FTC, SEC, States, GDPR
Reputation and Stock Price Drop
First Party Notification
et al expenses
System restoration
for increased security
Bank Credit Card Fine, Penalty,
Assessment
Business Interruption and Extra Expense
Damage or corruption
to data, programs, software
Civil Suits, Consumer
Class, Cost to Defend
Value of lost contract or customers
Ransom Payment
Loss of Intellectual Property
Loss/theft of funds
(BEC)
Directors and Officers Derivative
Shareholder Litigation
Bodily Injury and
Property Damage
Sample Breach Impact Costs
Privacy Breach
Product Liability
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 45
41
Source: Deloitte – Beneath the Surface of a Cyber Attack, A Deeper Look at Business Impacts, 2016
46 ■ Annual Meeting ■ October 2017
42
Deloitte
Example: Health Insurer Breach Scenario
Estimated Cost
Duration
Above the Line Post-breach customer protection $21,000,000 3 years
Cyber-security improvements $14,000,000 1years
Customer breach notification $10,000,000 6 years
Attorney fees and litigation $10,000,000 5 years
Regulatory compliance (HIPAA fines, etc.) $2,000,000
1 year
Public relations $1,000,000 1 year
Technical investigation $1,000,000 6 years
Below the Line Value of lost contract revenue $830,000,000 5 years
Value of lost customer relationships $430,000,000 3 years
Devaluation of trade name (reputation and brand) $230,000,000 5 years
Increased cost to raise debt $60,000,000 5 years
Insurance premium increases $40,000,000 3 years
Operations disruption $30,000,000 immediate
Source: Deloitte – Beneath the Surface of a Cyber Attack, A Deeper Look at Business I 2016
Loss of intellectual property
$ ?
1 to 3 years
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 47
Copyright GLG, LLC. 2014 All Rights Reserved 43
48 ■ Annual Meeting ■ October 2017
Media, Cyber, Privacy Liability Professional Liability Network Security Liability Consulting, other professional E&O Privacy Liability Extortion (ransom) Threats Technology Liability E&O Regulatory Proceeding Technology products, hardware, software Consumer Redress Funds PCI – DSS Crisis Management – PR Business income, extra expense
First Party Property Insurance Commercial General Liability Damage to data, programs, software Carve back for bodily injury Business interruption and extra expense Products Liability (may need separate policy) Off premises data services time element
Crime Insurance Directors and Officers Computer Fraud Derivative Shareholder Litigation Funds Transfer Fraud BEC (fake executive/employee or vendor e-mail)
Kidnap and Ransom Cover for extortion/ransom (ware)
44
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 49
Some of Deloitte’s below the line costs
Loss of Business Reputation or Brand Value ◦ Cyber insurance does not cover the financial loss arising from brand or reputational impact
IP In Your Care, Custody, Control (Mossack Fonseca Law Firm - “Panama Papers”)
◦ What about intellectual property of others in your care, custody, control? ◦ Cyber/ Legal malpractice policies need to reviewed very closely to determine if coverage
exist for loss of data or IP (e.g. sensitive business contracts) in care, custody, control
Loss of Business Contracts or Relationships ◦ Some cyber and property policies now include business interruption loss. Check policy
closely for loss of business contracts or relationships
Loss of Your Intellectual Property or Business Valuation ◦ Value of trade secrets, trade dress, patents are not covered ◦ A failed merger & acquisition due to a security breach - consider the downside costs!
45
50 ■ Annual Meeting ■ October 2017
46
The New Wolves of Wall Street A new class of cyber criminals is targeting companies’ private information
“It is no longer hacking for a quick payout. It is hacking as a business model.” Preet Bharara, US Attorney
Source: The New Wolves of Wall Street, Michelle Kerr, LRP, July 5, 2016 Source: Getty Images
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 51
Cyber-Terrorism or War
Experian Prediction #2: Nation-State Cyber Attacks Will Move from Espionage to War ◦ Cyber-terrorism coverage can be included with clear and broad definition ◦ Be certain the coverage applies to ALL computer systems – yours, the cloud, mobile
devices – and not limited solely to your computer system ◦ Be certain ‘data’ is included if not already in the definition of a computer system ◦ Compare the war exclusion to cyber-terrorism coverage- NBCU vs. Atlantic Mutual – U.S. District Court, Los Angeles, Ca. June, 2016 (terror or
war) media production case filed recently
Breach of Contract
◦ Problematic exclusion for a policy insured ◦ Used by Federal vs. PF Chang to defeat coverage ◦ Where possible, use “for” versus “arising out of, related to, or in connection with…a
breach of contract” ◦ Carve backs to the exclusion for breach of contract is available for PCI- DSS coverage,
technology, and professional services contracts
47
1
1. Data Breach Industry Forecast Fourth Annual 2017 Experian Data Breach Resolution
52 ■ Annual Meeting ■ October 2017
Policy Exclusion(s) – Failure to follow ‘reasonable security practices’ ◦ Columbia Casualty Insurance v Cottage Health Systems - No.: 2:15-cv-03432
United States District Court for the Central District of California ◦ ‘Reasonable security practices’ is very subjective so be mindful of the exclusion ◦ Some policy applications may have the same language, warranty, so be cautious
Policy Retroactive Dates ◦ A policy retro-date can defeat coverage for a cyber event not yet known ◦ This has been the source of numerous coverage denials and issues
48
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 53
Policy Sub-limits ◦ New Hotel Monteleone LLC v Certain Underwriters at Lloyds of
London, No. 2015-11711 (Civ Dist. Ct. Orleans Parish, Louisiana)
◦ PCI-DSS sublimit of $200,000 for credit card association fines and penalties with a full policy limit of $3,000,000. Payment card processor (BMO Harris Bank) made demand for fraud recoveries/assessments that insurer contends are sub-limited to $200,000
◦ Hotel argues: 1) sub-limit applies only to card association claims but not processor, 2) full policy limit would apply to reimbursements, fraud recoveries, or assessments, 3) the sub-limit is limited to card association (MasterCard, Visa) imposed fines and penalties so the full policy limit applies to all other claims
◦ Moses A Ryan, Ltd v Sentinal Insurance Company, US District Court, District of Rhode Island, April 28, 2017
◦ Ransomware, encrypted and locked files, 3 months, $700,000 loss of revenue ◦ Policy covered business income, extra expense for ‘direct physical loss or damage’ ◦ Policy sub-limit of $20,000 under Cyber and Media Endorsement ◦ Insurer paid $20,000. Moses Ryan argues for full $1M business income loss limit
49
54 ■ Annual Meeting ■ October 2017
Number of Deductibles or Occurrences
◦ Mostly, policies apply one deductible to the same, related, repeated wrongful act ◦ Read policy closely however – (Great American made the argument each transfer was
a separate and unrelated wrongful act: Incomm v Great American)
Privacy ◦ Some policies may exclude wrongful collection or wrongful tracking of PII or data
exclusion (Excluded) - ‘Collection of information by you (or by others on your behalf)
without the knowledge or permission of the persons to whom such information relates’
◦ Be mindful of any exclusion for ‘unintended violation of your privacy policy’
Bodily Injury or Property Damage ◦ Most commercial general liability policies now exclude cyber-related liability ◦ Buy-back endorsements exist for bodily injury (ISO CG 21 06 05 14) ◦ Buy-back endorsements exist for some property damage (ISO CG 04 37 12 04) ◦ Most cyber policies have give back for mental anguish, emotional distress
50
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 55
Unsupported Software Exclusion (Key issue in WannaCry) ◦ Be cautious of any exclusion for unsupported or legacy software ◦ This exclusion is problematic for any company using older software no
longer supported by the vendor ◦ Of course, unsupported software increases the risk of loss to the insured
and insurer
alleging, based upon, arising out of or attributable to the inability to use, or lack of performance of, software programs…due to the expiration or withdrawal of technical support by the software vendor; or
Negotiate for Voluntary Notification Cost Coverage
◦ Some insurers will offer voluntary notification cost coverage rather than
only notification cost when notice is required by law
51
56 ■ Annual Meeting ■ October 2017
Notification: ◦ Claim means: …written demand received by any Insured for money or
services…(would include a ransomware demand)
…in no event shall the Underwriters be given notice of Claim later than the end of the Policy Period , the end of the Optional Extension Period (if applicable), or sixty (60) days after the expiration date of the Policy Period…
• Report all ‘written demands’ – even if small dollar demands
Consent to Settle and/or Incur Costs:
…the Insured shall not admit liability, make any payment, assume any obligations, incur any expense, enter into any settlement, select the services and products described in Insuring Agreement D., stipulate to any judgment or award or dispose of any Claim without the written consent of the Underwriters…
• Secure consent to pay unless policy provides authority to the insured
52
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 57
PF Chang v. Federal Insurance Company, US District Court Arizona, CV 15-01322 PHX-SMM Chang had a breach and Bank of America (credit card processor) brought a
claim for three items: Case Management Fee - $50,000 Operational Reimbursement - $163,122 Fraud Recovery - $1,716,798
Only fraud recovery was not covered: Was not a Claim for (Privacy) Injury and would also be excluded by the breach of contract exclusion
Privacy Injury – ‘injury sustained or allegedly sustained by a Person because of actual or potential unauthorized access to such Person’s Records, or exceeding access to such Person’s Records’
Court: Bank of America itself did not sustain a Privacy Injury, its records (such Person’s)
were not compromised so it had no claim as a privacy injury Bank of America’s claim was grounded in a contract to which Chang’s breach of
contract exclusion applied
Note: No evidence Chang’s policy had coverage for PCI-DSS breach
53
58 ■ Annual Meeting ■ October 2017
54
MasterCard Visa
Bank of America Processor (BAMS)
PF Chang
Customers
Discover
Credit Card Transactions
Data owner and notification obligations
Fraud Assessments Charges
1. BAMS did not sustain
a privacy injury. Its records were not compromised.(MasterCard sustained the Privacy injury)
1. BAMS claim is
contractual. Exclusion would apply.
Privacy Injury: ‘Injury…sustained by a person… because of…access to such person’s record’
Processing Agreement
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 59
No evidence in the PF Chang case that it purchased PCI-DSS coverage
Had PCI-DSS coverage been in place this case might not exist
55
Sample Cyber Policy Wording: Be certain to include monetary assessments: PCI-DSS assessment means any written demand received by an insured from a Payment Card Association (e.g., MasterCard, Visa, American Express) or acquiring bank for a monetary assessment (including but not limited to a contractual fine, penalty, operational assessments, card reissuance fees and costs, fraud assessments and recoveries, and case management fees) due to an insured’s non-compliance or breach of contract in accordance with PCI data security standards resulting from a failure of security or privacy peril.
PCI-DSS coverage often removes or limits the Breach of Contract Exclusion: for liability you assume under any contract or agreement, including but not limited to, any contract price, cost guarantee or cost estimate being exceeded; however, this exclusion does not apply to: with respect to Security and Privacy Liability Coverage, the obligation to comply with PCI data security standards;
60 ■ Annual Meeting ■ October 2017
Cyber Business Interruption subject to a time waiting period: ◦ No coverage if the time waiting period is not met
◦ Be cautious to tie the retention to both a time waiting period and a
dollar retention and not limited solely to the time waiting period: If the Loss incurred by any insured during the Waiting Hours Period is greater than the
applicable (dollar) Retention set for the in the Declarations, the Remaining Retention equals Zero
In other words, once the time waiting period is met the stated dollar deductible should apply
Will new technology fall under business interruption definitions?
◦ System Failure means failure of security of a Computer System ◦ Will Blockchain (a distributed peer to peer ledger) satisfy the definition of
computer system?
56
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 61
Who is the data owner? ◦ Hospital ‘owns’ the HIPAA data, retailer ‘owns’ consumer data ◦ Therefore, the hospital data owner, not its vendor, has the duty and obligation to notify
the consumer
Be certain your policy covers a breach at a vendor or off-site location ◦ You have the obligation to notify your customers or consumers as the record owner ◦ Your claim to vendor will be a technology or professional liability errors and omissions
based claim – failure under contract to provide a contracted service ◦ Your vendor will need to indemnify/reimburse you for your costs to notify and respond
Contractual obligation to indemnify another party might not be covered ◦ Often seen in credit card processing agreements and other agreements ◦ The credit card processor or third party vendor will not sustain a ‘Privacy Injury’ – its
records are not compromised ◦ They do not have the obligation to notify the consumer – you do
Your vendor would need to indemnify you via contract terms ◦ Vendor’s insurance policy may contain a breach of contract exclusion ◦ Make certain there is a carve back covering liability assumed under contract ◦ The breach of contract exception for liability one would otherwise have without a contract
being in place might not apply as they have no real liability to the consumer
57
62 ■ Annual Meeting ■ October 2017
BEC (Business E-Mail Compromise)
Computer Crime, Funds Fraud Transfer
58
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 63
‘Austrian firm fires CEO after $56-million cyber scam*’
◦ Firm wired $56 million based on a fraudulent e-mail
Actual E-mail to Scripps: From: Lxxxxxx <[email protected]> Date: October 3, 2014 at 1:35:00 PM EDT To: <[email protected]> Subject: Fwd: Wiring Instruction M, Process a wire of $36,850 to the attached account information. Code it to General & Admin Expenses and notify me once its done. I'll forward support later on, currently working on it. Thanks,
Source: Australian Firm Fires CEO after $56-million Cyber Scam, May 26, 2016 AFP World News 59
64 ■ Annual Meeting ■ October 2017
BEC Scams now targeting all parties in real estate transfers
Buyers, sellers, real estate agents…..and law firms
Follow transactions then perfectly time a fraudulent request to wire money or otherwise divert funds to a fictitious account
Real estate fraud complaint up 480% this year alone!
FBI May 4, 2017 BEC Alert 60
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 65
Computer Crime Insurance and Funds Fraud Transfer (fake e-mail) 5 recent cases of interest: ◦ InComm v Great America, Bank of Bellingham v BankInsure, Taylor & Lieberman
v Federal, Medidata v Federal, Apache Corporation v Great American
Key Insurance Coverage Questions for Cyber Crime Coverage: ◦ Is a ‘voluntary’ transfer of funds based on a fraudulent e-mail that looks legit
covered? ◦ If a person with authorized access makes a fraudulent transfer is that covered?
◦ Is the loss direct or indirect?
◦ If an employee violates internal policy leading to a loss is that covered?
◦ If a programming error allows a fraudulent transfer to occur is that covered?
61
66 ■ Annual Meeting ■ October 2017
Incomm Holdings v Great American Insurance Company (1:15 cv 2671 WSD) U.S. Dist. Ct. Northern Dist. Of Georgia, Atlanta, Division ◦ InComm sells pre-paid debit cards that can be re-loaded with funds via separate
“chit” ◦ A consumer must call an interactive voice response (IVR) to re-load the card ◦ When persons made simultaneous calls to load a “chit”, many ‘chits’ were
redeemable multiple times when they should have been redeemable only once
Crime Policy Wording: ◦ “{Great American} will pay for loss of…. resulting directly from the use of any
computer to fraudulently cause a transfer of that property from inside the premises or banking premises…to a person… outside those premises
Key Coverage Disputes: ◦ Is the IVR system a computer or is the IVR a phone system? ◦ Insurer maintains loss is not direct, rather stems from InComm’s contractual commitment
with bank to deposit funds when “chit” redeemed ◦ Insurer maintains each transaction is a separate policy occurrence under the deductible ◦ Coding errors in the IVR system, not computer fraud or ‘hacking’
62
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 67
Judge ruled March 2017 in favor of Great American Insurance Company
Judge held redemptions were made over a phone system rather than via a computer (system) as required by the policy
The losses occurred after the initial redemption was made (e.g. when a subsequent call made to reload the chit) and those re-loads of the chit were all done by phone rather than a computer
The claimed loss was not direct - did not result from a direct transfer of funds from a computer system
Incomm plans to appeal
63
68 ■ Annual Meeting ■ October 2017
State Bank of Bellingham v BankInsure - U.S. Court of Appeals, 14-3432, Appeal from US District Court, Minneapolis, Minnesota
Bellingham made a claim under the policy when one of its computers became infected with malware that allowed criminals to transfer $485,000
Bellingham employee violated company policy leaving computer on all night, so BankInsure denied the claim on the grounds the loss was the result of a failure to adhere to security protocols
Court reviewed ‘direct’ and took into consideration the ‘efficient proximate cause’ (the unlawful computer hacking by a third party)
Ruled in favor of Bellingham for coverage to apply
Taylor & Lieberman v Federal Insurance Company – Ninth Circuit Court of Appeals (March, 2017)
Taylor & Lieberman received fraudulent e-mails from a fraudster using a client e-mail address requesting funds be sent
Ninth Circuit held fraudulent e-mails were neither forgeries nor financial instruments (for funds transfer fraud coverage under a crime policy), and there was no unauthorized entry into the insured computer system (for computer fraud coverage under a crime policy), such that no coverage applied
64
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 69
In Bellingham, there was an intrusion by the hacker into the policyholder computer system introducing a malicious malware
In Taylor & Lieberman, there was no hack or intrusion into a computer system. An employee’s e-mail was hacked rather than the computer system itself, leading to a fraudulent request to wire funds
In Taylor & Lieberman, there was no coverage as it was a ‘voluntary’ transfer of funds by an employee (albeit based on a fraudulent e-mail)
In Bellingham, coverage applied as there was unauthorized access to a computer system
65
70 ■ Annual Meeting ■ October 2017
The fraudulent ‘executive e-mail’ to wire funds
Federal denied coverage – voluntary transfer of funds Apache Corporation v. Great American Insurance Company No 15-
20499 2016 WL6090901 (Fifth Circuit Court of Appeals, October 2016)
Fraudulent phone call made to Apache employee followed by fraudulent vendor invoice from what appeared to be a ‘legitimate’ vendor
Employee paid the fake vendor invoice which shortly afterward was found to be fraudulent
Fifth Circuit reversed the underlying decision and determined the loss was not a ‘direct loss’ of computer use as required by the policy
Using a computer to initiate a fraudulent invoice was incidental rather than direct and not covered by the policy
66
Medidata v.Federal Insurance Company – 1:15-CV 00907 United States District Court, Southern District of New York
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 71
Some crime policies will insure BEC fraudulent E-mail from (fake) executives or employees but specific policy wording is required
Be certain to also include Computer Fraud and Funds Transfer Fraud Coverage (or called: Social Engineering, Impersonation Cover)
Sample policy language to insure the fraudulent employee E-mail: ◦ A fraudulent written instruction to transfer, pay, or deliver electronic funds
or transfer funds which purports to have been issued by an employee of the insured but was in fact fraudulently issued by someone without the insured’s consent
Some insurers will also insure fraudulent E-mail (funds transfer) from
(fake) vendor invoices but specific policy wording is required
67
72 ■ Annual Meeting ■ October 2017
United States Department of Treasury Notice of Guidance issued December 27, 2016 making it clear Cyber falls under TRIA
Stand-alone Cyber Liability Policies are included under the TRIA Act of 2002
TRIA provides a federal ‘backstop’ up to $100 billion for insurance claims from acts of terrorism
Insurers must provide disclosures and offers that comply with TRIA for any new or renewal policies
Effective Date: April 1, 2017
68
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 73
Many cyber insurer policies are now specifically including coverage for business income and extra expense in cyber liability coverage forms
Some Property Insurers (FM and XL) have cyber coverage for virus and malware, data destruction, and business income
This policy coverage will be subject to a waiting period
Waiting period can range from 8 hours to 48 hours
Must read the policies closely to understand the coverage intended (for example, some policies may require a virus/ ransom to be ‘directed at’ the policy insured)
Some insurers are now including ‘system failure’ in addition to ‘system
security’ (breach) 69
74 ■ Annual Meeting ■ October 2017
AIG CyberEdge (SM)- Products/Completed Operation Liability Insurance ◦ Bodily injury or property damage for products-completed operations hazard, caused
by a Security Failure or Product Security or System Failure
◦ Security Failure –failure of a computer system due to a security issue ◦ System Failure – failure of a computer system
◦ Product Security Failure – hardware, software, components…1) under ownership or
operation of person other than the named insured, 2) are part of the Named Entity’s Products, 3) linked together
CyberEdge (SM) - Commercial General Liability Insurance ◦ Bodily injury or property damage caused by a security failure or privacy peril
CyberEdge (SM) First Party Property Damage Insurance ◦ First party property loss as a result of a security failure
CyberEdge (SM) Network Interruption Insurance ◦ Business income and extra expense loss as a result of a security or system failure
70
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 75
Is there a subrogation wave on the horizon? ◦ Many, many business contracts for software, services, hardware being negotiated
Is there contract certainty? ◦ In other words, will the insurance coverage match, mirror contractual intent? ◦ With 67 different policy wordings how will this play out in the future?
Will insurers pay claims for data owners then subrogate other parties?
What about products - completed operations when a security breach is
the primary cause of a fire in a plant. Will the plant insurer subrogate?
What about limitation of liability provisions? Will they be upheld?
Two cases of interest:
Affinity Gaming vs. Trustwave Holdings, Inc. ◦ Case No.: 2:15-cv-2464 US District Court District Of Nevada
Travelers vs. Ignition Studio, Inc. ◦ Case #1:15 CV:00608, US District Court, Northern District of Illinois
71
76 ■ Annual Meeting ■ October 2017
Insurance Claim Scenario: Two large ocean vessels (A and B) are in the Port of New Orleans with A close to docking portside. Both are equipped with state of the art electronic systems connected wirelessly to the Internet and satellite systems including all of the ship’s navigational systems. Suddenly B’s engines fire-up and it moves swiftly toward A, the Captain of B is powerless to shut off or disable the engines, when B strikes A broadside. The impact is huge: Vessel A, carrying oil, catches fire and sinks, causing an environmental disaster, shuts down the Port of New Orleans for an estimated two months, and two persons are dead. It is determined by computer forensics that an on-shore hacker had seized control of B’s entire navigational systems. Multiple parties provided the computer hardware, software, component parts, switches, sensors, and installation for electronic systems (e.g. The Products) to Vessel A. Vessel B’s insurer reminds them of the ‘all claims arising out of or in connection to a cyber-liability event’ exclusion under the Protection and Indemnity Policy (P&I). Vessel A’s insurer sues all parties involved.
72
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 77
73
The Future: IoT Connected Devices Driverless Cars and Your Smart Home Risk Aggregation
Source: Getty Images
78 ■ Annual Meeting ■ October 2017
“The Internet of Things is Wildly Insecure…And Often Unpatchable” “The security problem grows larger and larger each time another unsecured IoT device is connected to the Internet”. Bruce Schneier, Expert International Security Technologist
74
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 79
The Dyn disruption was not all that sophisticated:
75
Many electronic gadgets connected to internet but
default password from manufacturer NOT
changed
Hackers knew the default then simply ‘tool-over’ many
gadgets
Hackers –with many gadgets under control –
send signals to Dyn which overloads the system (DdoS attack)
80 ■ Annual Meeting ■ October 2017
76 Source: iStock Photos
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 81
There will be 25 billion connected consumer devices by year end 2015
There will be 50 billion connected consumer devices by year end 2020
Consumers only! – FTC report does not address business devices
Mobile data traffic will exceed fifteen exabytes by 2018
An exabyte of storage could contain 50,000 years’ worth of DVD-quality video
77
Source: FTC Report 2015 Internet of Things, Privacy and Security in a Connected World
82 ■ Annual Meeting ■ October 2017
78
0.001 0.5
8.7 11.2
14.4
18.2
22.9
28.4
34.8
42.1
50.1
0
10
20
30
40
50
60
1993 2003 2012 2013 2014 2015 2016 2017 2018 2019 2020
Billi
ons
of C
onne
cted
Dev
ices
Number of Connected Devices Globally
Source: FTC Report 2015 Internet of Things, Privacy and Security in a Connected World
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 83
79
Half of companies have already adopted IoT technology, and by 2019 that number is expected to reach 85 percent.
Half of our respondents feel external attack is the greatest threat to their IoT systems, and 84 percent have already experienced an IoT related breach
Over 77 percent of business leaders said that IoT was ‘just beginning’ and will transform business as we know it.
Source: Hewlett Packard: The Internet of Things: Today and Tomorrow
84 ■ Annual Meeting ■ October 2017
The Information Value Loop:
Create ◦ Sensors generate information about event or state
Communicate ◦ Transmit the information from one place to another
Aggregate
◦ Gather information created at different times and sources
Analyze
◦ Discern patterns, relationships, leading to descriptions, predictions,
prescriptions for action
Act ◦ Initiate, change, or maintain a physical event or state
Deloitte University Press 2015: Inside the Internet of Things – A Primer on
the Technologies Building the Internet 80
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 85
Certainly data can help manufacturers improve products: ◦ Product functionality ◦ Product maintenance
Predictive modeling
◦ Data to predict your consumer habits, buying trends, likes and dislikes ◦ What do you listen to, like, ask for (Alexa – play songs by The Beatles for me)
Targeted advertising ◦ Advertisers long for rich and actionable data
But data must be actionable. Storing data for no purpose is a liability
Ashley Madison Breach – many had asked for their information to be
deleted completely
81
86 ■ Annual Meeting ■ October 2017
Many IoT devices are not being designed with security in mind
IF patches are even issued by manufacturers unlikely consumers will upload patches to the devices
Mass connectivity raises the risk aggregation concern ◦ Dyn – consumer IoT devices taken over and ‘flooded’ Dyn domain servers
◦ WannaCry and Petya – Virus could be uploaded to connected devices on a massive
scale
Privacy concern and litigation may increase substantially ◦ Data – being collected at alarming pace:
◦ Vizio collected up to 100 billion anonymized viewing data points each day
82
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 87
83
YOUR DRIVERLESS CAR WILL BE HACKED! And if it crashes who will be responsible?
Source: Getty Images
88 ■ Annual Meeting ■ October 2017
Today negligence and liability follow the driver/vehicle owner
Personal automobile insurance will pay if the insured is legally liable
However, with a driverless car, is the driver responsible or is the product manufacturer responsible?
Will there be a big spike in product liability coverage needs?
Will the personal automobile market dry up and go away?
What will the regulatory framework look like for self driving cars?
How can insurers understand and price the new technology and changing exposure?
Consider the ‘data’ collected – when you go, where you go, how many are in the vehicle, for how long, how fast, miles driven/ridden, maintenance schedule – how will this data be used?
84
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 89
Will personal automobile insurance revenues really reduce by $160 billion?
Wall Street Journal Article – July 26, 2016 ◦ Due to safety enhancements of driverless cars project personal lines insurance
market to shrink to $40 billion by 2040 Will there be a big spike in product liability coverage needs?
◦ Can the premium volume be made up in commercial product liability coverage?
85 Source: Driverless Cars Threat to Crash Insurers Earnings, Wall Street Journal, July 26, 2016, by Leslie Scism
90 ■ Annual Meeting ■ October 2017
Charlotte’s public transportation is under a ‘future vision review’ The plan is to spend upward of $6 billion for light rail transportation with
three new rail lines connecting various destinations The time-line for the first phase alone is estimated to be completed in 2025
to 2027
CAT (Charlotte Area Transit) ridership has been decreasing slightly
Light rail would remove or lower congestion with guaranteed times
But driverless cars threaten the ROI spend on infrastructure transit
Should Charlotte spend the money?
‘Will Self-Driving Cars Kill Transit as we Know It? It could be Charlotte’s $6 Billion Bet’ - Charlotte Observer, Steve Harrison, February 24, 2017
86
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 91
‘Fixed route transportation won’t make any sense in ten (10) or fifteen (15) years’
‘We are on the precipice of as much change in transportation as we have seen in 100 years’
Disruption is clearly coming. Is it correct to pause and ask “is the transit plan from twenty (20) years ago may not be the best plan for the next two decades”?
87 Charlotte Observer, Steve Harrison, February 24, 2017
92 ■ Annual Meeting ■ October 2017
Driverless Car Scenarios: Owned or leased by individual owner (in place today) License Model Exclusive License: A person owns the car but is not the everyday user, another person (licensee) is the normal user Non Exclusive License License does not have exclusive right or use of the car shared or perhaps multiple users Fleet Owned Model
Similar to Uber today where user pays by the ride or per-month fee on an as needed basis Individual Owned Model Uber like app connects driverless cars owned by individuals. For example, your car drives you to work then your car is out earning money all day via Uber like app.
Autonomous Vehicls Business Models: How Will you ‘Own’ One? Janine Bowen, Leclair Ryan, November 1, 2016 88
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 93
89
Your bank
Direct bill pay Your employer
Social media
Kids' games
Your investment accounts
Your Credit Cards
Source: Getty Images Alexa, Cortina, Siri
94 ■ Annual Meeting ■ October 2017
Who will know when you are at home or away?
Will insurance claims decrease due to enhanced monitoring and electronic protection, or will insurance claims increase should hackers be able to steal passcodes for entry or override various systems?
Will insurers give home discounts or credits to smart home owners?
Privacy issues will be big as there will be many data connection points from the home that will be captured and analyzed
What claims might the home builder face when a wired home he or she built floods because a hacker was able to turn on all water outlets to the home when the homeowners were on a two week vacation?
What is the risk concentration issue – could one hacker tap into hundreds or thousands of homes at one time?
90
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 95
Law #1 – Everything connected to the Internet can be hacked
Law #2 – Everything is being connected to the Internet
Law #3- Everything else follows from the first two laws
91
Source: Risk Nexus – Beyond Data Breaches: Global Interconnections of Cyber Risk. Zurich and Atlantic Council, April 2014 http://www3.weforum.org/docs/ WEF_IT_PathwaysToGlobalCyberResilience_ Report_2012.pdf.
96 ■ Annual Meeting ■ October 2017
AIG Survey – Is Cyber Risk Systemic, December 2016 92
AIG Survey
How likely is it that one systemic attack will impact multiple companies in the next 12 months?
More than 90% responded cyber systemic event is possible ◦ 5% say > than 50% chance ◦ 10% say 10% to 50% chance ◦ 85% say < 10% chance
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 97
Started in 2006
Today over $10 billion in revenue
31% market share next closest competitor at 10%
Provides 143 million hours a month of service
Over 1 million customers in over 190 countries
Entering the IoT market (announced October, 2015)
93 Source: Business Insider, March 14, 2016, Julie Bort
98 ■ Annual Meeting ■ October 2017
WWW.AWS.Amazon.com 94
US East: Virginia (5), Ohio (3)
US West: N California (3), Oregon (3)
Sao Paulo (3)
Green circles: Coming soon
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 99
Google Map Data 2015 95
100 ■ Annual Meeting ■ October 2017
Can a cyber corollary be made with the 2007- 2008 financial crisis? Will a cyber event cause another financial crisis moment?
The interconnectivity (systemic risk or contagion) of the financial system almost caused its collapse ◦ Systemic risk* - the collapse of an entire financial system or entire market, as
opposed to risk associated with any one individual entity, group or component of a system
◦ Contagion* – The spread of mostly downside market disturbances from one country to the other
The failure of Lehman (Indy Mac Bank) and near failure of Bear
Sterns created a real and/or perceived liquidity crises and near financial collapse of the world financial system
96
Source: Wikipedia.com
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 101
97
Source: International Monetary Fund, Financial system Stability Assessment, Germany, June 10, 2016
102 ■ Annual Meeting ■ October 2017
Consider the parallel between the financial system and the cloud:
98
Mortgage problem
Lehman falls spreads to other
banks and providers
Liquidity/ credit flow problem hits others
Sovereign debt hit as
governments bails out banks
Major recessions, government
loss of support and US, EU crisis
Can it happen again?
Cloud Problem
Can it happen?
Widespread losses,
contingent BI, government
loss of support, no
trust in Internet
Large sections of the
economy suffer and spreads globally
Many companies depending on just in time
supplies, key process support
are impacted
Companies depending on cloud provider
that fails, include logistics, those
supplying critical support and
process
Source: Risk Nexus – Beyond Data Breaches: Global Interconnections of Cyber Risk. Zurich and Atlantic Council, April 2014
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 103
The Seven Aggregations of Cyber Risk 1. Your Internal IT department - Internal IT hardware, software, routers, people 2. Counterparties / partners – Outsiders such as banks, associations 3. Outsourced and contract partners – Contracts for cloud, HR, legal, etc 4. Supply Chain – IT /cyber supply/ logistics /products/ country 5. Disruptive, new technology, old technology – IoT, smart grid, Tesla 6. Upstream infrastructure – Submarine cables, Internet exchange, government 7. External shocks – International conflicts, malware pandemic
99
Source: Risk Nexus – Beyond Data Breaches: Global Interconnections of Cyber Risk. Zurich and Atlantic Council, April 2014
104 ■ Annual Meeting ■ October 2017
Maersk IT systems crippled by Petya/Not Petya
Maersk – leader with 18% of market share, high regard for cyber-security
Books 3,300 TEU every hour for $2,700,000 revenue each hour
Bookings impacted for two days (to date as of June 30, 2017)
Estimated two (2) day revenue loss: $129,600,000
Further, consider the systemic supply chain risk: ◦ Global container supply could be in chaos
◦ Maersk may not be able to load, unload, so containers will pile up on docks
◦ Customers looking for other modes of shipping being told there is no space,
‘we’re full’! International Shipping News, June 30, 2017
100
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 105
So What Is The Potential Dollar Cost Impact? Business blackout simulation on the power grid
A Trillion-Dollar Risk?
Economic impact $22 billion to more than $1trillion
Not a cyber peril but consider the similarities to a cyber
Armageddon
Loss of power, with all things connected, would be a very big insurance claim
“US Power Grid Called Easy Cyber Target” – Department of Energy Report 2017
Source: Lloyds and Cambridge Centre for Risk Studies, Business Blackout, Emerging Risk Report 2015
101
106 ■ Annual Meeting ■ October 2017
Is a large loss on the way? ◦ The concentration of risk(s) / exposure(s) at a cloud and/or other
interconnected locations raises the potential of a large loss
◦ Financial System – Bank of Bangladesh (Swift) was $81million and could have been $1 Billion but for a typo error
Integration and especially the Supply Chain Impact
◦ You rely on Amazon, so do your suppliers, so do their suppliers, so do their-
their suppliers…
◦ The contingent business interruption supply chain impact could be substantial
Privacy Issues ◦ The IoT will allow massive collection of PII information ◦ One device touches another device and another ◦ Many, many issues will surface related to privacy rights with location devices
102
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 107
Potential for increased crime ◦ As more homes and business become connected and secured remotely will this allow
for more break-ins due to a cyber security breach? Medical devices and other equipment increase the risk of bodily injury
related claims ◦ Already reports of pace-makers connecting online becoming hacked ◦ What about hospital medical devices delivering medicines, etc
Will insurers figure a way to price and underwrite the risk? ◦ Capacity and coverage will not be available to handle the changing risk exposure
Will the Catastrophe Bond Market provide needed capacity more quickly? ◦ If the insurance industry does not respond, will the capital markets do so? ◦ Cat bonds have already been issued to insure large cyber breach exposures
103
108 ■ Annual Meeting ■ October 2017
Will the Article III Standing threshold break open the floodgates? ◦ Spokeo v Robbins – must have some proof of concrete harm
◦ Since Spokeo, rather inconsistent rulings on concrete harm: Church vs. Accretive Health, Inc. U.S. Eleventh Circuit) Hancock vs. Urban Outfitters, Inc. (U.S Court of Appeals, District Columbia) Carlsen vs. Gamestop, Inc. (U.S. Eighth Circuit) Braitberg vs. Charter Communications, Inc. (U.S. Eighth Circuit) Galaria vs. Nationwide Mutual Insurance Co. (U.S. Sixth Circuit) Perry vs. Cable News Network (U.S. Eleventh Circuit) Christina Graham, et al vs. Michael’s Stores, Inc. (US District New Jersey) Michael T Dreher vs. Experian Information Solutions, Inc, Equifax, Inc. Trans-Union
Inc. et al (U.S Fourth Circuit) Ahmed Kamal vs. J. Crew Group (US District New Jersey)
◦ Plaintiff bar will continue to push new and old theories such as overpayment for services ‘not’ provided (e.g. not protecting PII)
104
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 109
The statutory penalty per each ‘willful’ or ‘knowing’ non-compliance is a big concern: e.g. F.C.R.A. up to $1,000 each
Do the math:
100,000 ‘knowing’ non-compliance records X $1,000 per record = $100,000,000 exposure!
105
110 ■ Annual Meeting ■ October 2017
Are WannaCry and Petya simply smokescreens?
Guised as ransom demands but are they worming systems undetected?
DoublePulsar, a cyber weapon developed by N.S.A has been detected on tens of thousands of computer machines
DoublePulsar mostly flys under the rader, undetectable by most virus and malware scans
Undetected it can then steal credentials giving hackers free reign
To what extent can private business compete and stop state sponsored cyber weapons?
A Cyber Attack the World Isn’t Ready For – NY Times Online June 25, 2017 106
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 111
1. Criminals harness IoT devices as botnets to attack infrastructure
2. Nation state cyber espionage and information war influences global
politics and policy
3. Data integrity attacks rise
4. Spear-phishing and social engineering tactics become more crafty, more targeted and more advanced
5. Regulatory pressures make red teaming the global gold standard with cyber-security talent development recognized as a key challenge
6. Industry first-movers embrace pre-M&A cyber-security due diligence
Stroz Friedberg, 2017 Cyber-Security Predictions, January 2017
107
112 ■ Annual Meeting ■ October 2017
1. Privacy litigation and disputes will increase mostly due to IoT devices
2. Two or more nation states will be on the brink of declaring cyber-war
3. ‘Latency’ issues will begin to surface (long-term but unknown data theft or credential compromise, similar to latency product defects)
4. A major cloud provider or utility will be under a serious and sustained cyber attack
5. Companies will begin to re-evaluate its security posture and protocol – is what we are doing the right approach?
6. Blockchain will become a tool for one or more major financial institution
108
What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 113
Questions? Thank You!
109
Source: iStock Photos