Assessing your Cyber Risk A Real Life Case Study Presented by: Liz Limjuco, Marsh Mike Paulino, CSG International Cindy Stevens, Colorado Springs Utilities
Agenda • What is Cyber Insurance • Overview of Cyber Risk • Quantifying Cyber Risk • CSG Case Study • Colorado Springs Utilities 1 March 22, 2017
Cyber Insurance 2
Cyber Insurance Key Insurance Coverages Coverage Description Covered Costs First Party Business Income/ Interruption or suspension of computer • Loss of Income Extra Expense systems due to a network security • Costs in excess of normal operating expenses Cover breach. Coverage may be added to required to restore systems include system failure. • Dependent business interruption 1 st Party • Forensic expenses Insurance coverage: direct Data Asset Costs to restore, recreate, or recollect • Restoration of corrupted data loss and out of Protection your data and other intangible assets • Vendor costs to recreate lost data pocket expense that are corrupted or destroyed. incurred by insured Event Management Costs resulting from a network security • Forensics or privacy breach: • Notification • Credit Monitoring • Call Center • Public Relations • Sales Discounts Cyber Extortion Network or data compromised if ransom • Forensics not paid • Investigation • Negotiations and payments of ransoms demanded Third Party Privacy Liability Failure to prevent unauthorized access, • Liability and defense disclosure or collection, or failure of • Third party trade secrets Cover others to whom you have entrusted such • Notification to individuals information, for not properly notifying of • Investigation costs 3rd Party a privacy breach. • Costs related to public relations efforts insurance • Sales Discounts coverage: defense and liability Network Security Failure of system security to prevent or • Liability and defense incurred due to Liability mitigate a computer attack. Failure of • Bank lawsuits harm caused to system security includes failure of • Consumer Lawsuits others by the written policies and procedures • Sales Discounts insured. addressing technology use. Privacy Regulatory Privacy breach and related fines or • Investigation by a Regulator Defense Costs penalties assessed by Regulators. • Liability and Defense costs • PCI / PHI fines and penalties • Prep costs to testify before regulators • Consumer / Bank lawsuits
Cyber Insurance Marketplace $1.3B in notional capacity, heavily domiciled in the US. Large towers are Capacity typically $200-$500M. Common primary markets: AIG, XL, Zurich, Lloyds. Enhancements have been introduced to address the needs of Coverage more industrial customers. E.g. system failure, business interruption. Underwriting process is increasingly thorough. Tech E&O and Appetite manufacturing remain favorable classes for many insurers. For organizations >$1B in revenue, retentions >$1M often lead to full limits across all insuring Retentions agreements. Increasing retentions leads to nominal premium savings. Premium is heavily dependent on industry, security controls, limitations of liability Pricing within contracts, retention level, coverage requests, and loss history. 4
Cyber Risk An Evolving & Headlining Risk for Organizations Liability to Customers and Key Vendors Fines and Assessments by Payment Card Industry Regulatory Scrutiny Notification Requirements Supply Chain
Defining Your Risk How Is Cyber Risk Impacting Your Organization? Leading Cyber Risks… Operational What are you doing to mitigate risk at each touch Disruption point across your third party suppliers/providers? Regulatory What changes have you made recently in how you manage and protect sensitive data? Compliance Employee What are you doing to protect key employee or prospective employee information? How has this Exposures impacted your ability to recruit or retain talent? Lawsuits and Do you have a response plan in the event of a Reputational breach? How are you mitigating the potential damage? Harm
Defining Your Risk Impact Across The Organization Cyber is not just an IT issue. It is an enterprise risk that impacts many key stakeholders within your organization.
Potential Threat Environment 8
Quantifying Cyber Risk Key Question to Address • Identifying current and developing exposures • Identifying gaps in cyber practices and coverage • Designing programs that to manage cyber risk effectively • Communicating findings to key decision makers 9
Quantifying Cyber Risk A Risk Based Approached To Assess Cyber Exposures Understand Your Undertake A Risk Transfer and Loss Developing Potential Areas Of Risk Risk Assessment Funding Options Underwriting Information • Consider organization’s • Include a variety of • For identified threat • Provide information internal and external personnel across sources and risk drivers, amassed during previous business environment business, including: confirm available steps to the insurance • Examine current systems, ‒ Key business assets contractual risk transfer market. This will help: practices and controls for and critical information and loss funding options ‒ Cyber insurance market monitoring, reporting and systems • Undertake analysis of underwrite on an response, with regards to ‒ Information expected first- and third- informed basis cyber-related risks system/security, legal party insurance policy ‒ Organization’s • Articulate organization’s and risk personnel response to each risk insurance broker cyber risk appetite • For each cyber loss event/scenario negotiate best available Use risk consequence exposure considered, • Enlist help from cyber insurance policy ‒ criteria/levels of identify potential organization’s insurance cover, limits, pricing and impact scenarios of threat broker as needed terms sources and risk drivers • For non-insurance key risk • Assess effectiveness of events: current controls and ‒ Review vulnerabilities practices in place to they cause manage each threat ‒ Develop strategies and source and risk driver initiatives to improve systems and controls Source: Marsh Analytics 10
Quantifying Cyber Risk Using Analytics As Part of the Risk Decision Loss Projection Model Risk Tolerance Cyber Modeling Risk Bearing Capacity What is the potential risk and How much volatility and how retained risk is much could it cost Enterprise Risk Management appropriate for the company? the company? Benchmarking Risk Maps After Insurance Loss What do we Simulation need to be Are we RISK concerned protected and about? TRANSFERRED do we have CONSIDERATIONS optimal RISK programs in place? IDENTIFICATION RISK MANAGER Are we RISK RETAINED Does my capturing CONSIDERATIONS retained risk sit the right data in the about risks and appropriate losses efficiently? Captive Solutions vehicle? Are we doing Qualified Self Claims Benchmarking everything we Insurance Data Management can to manage, Are we minimizing prevent or administrative Risk Management mitigate losses? costs? Information Systems Leakage Audit Claims Inventory Management TPA Performance Assessment on WC Medical Claims Advocacy Costs Workforce Strategies & Safety Collateral Solutions Loss Control 11
CSG INTERNATIONAL 12
Quantifying Company Specific Risk • Personal info vs payment info vs health info elements • Discussions with company CISO and/or IT groups will help determine the most likely targets and scenarios – Ask questions to determine the maximum probable loss in terms of record count – How is company data separated? • Even if you don’t think you are a likely target, you probably have customers or suppliers that are – Target’s data was hacked through a vendor – The “rogue employee” situation could happen to any company 13
Quantifying Company Specific Risk • Narrowing the range for company specific breach costs is the key to determining appropriate limits and gaining executive buy-in for those limits • Pre-negotiate breach remediation costs with vendors before a cyber event occurs • Apply company specific information to breach cost models • Discuss your company’s unique situation with your broker in order to customize the cyber model 14
Non Insurance Mitigation • Re-visit record retention policy – Purge records as soon as reasonable – Ensure that records are actually being purged according to policy • Does your organization have a cyber breach play book? • Are there controls that could help prevent the rogue employee scenario? 15
Obtaining Executive Buy-In • Doomsday event is not probable and is never completely insurable • Present maximum probable loss examples with information gathered in data evaluation – Maximum probable loss exercise should be the basis for decisions • Highlight any non insurance risk mitigation strategies as action items 16
17
Recommend
More recommend
