Presentation is loading. Please wait.

Presentation is loading. Please wait.

How can your Captive help you manage Cyber risks?.

Published byEthelbert Sparks Modified over 8 years ago

Similar presentations

Presentation on theme: "How can your Captive help you manage Cyber risks?."— Presentation transcript:

1 How can your Captive help you manage Cyber risks?

2 Agenda History 2 Continued evolution of cyber threats Regulatory focus 6 What are the regulators interested in? Focus now on response; not prevent 8 Not a matter of ‘if’ but ‘when’ Protect what is important 11 External perimeter; internal assets Cyber insurance 15 Panel discussion

3 History

4 Today’s cyber security threat Business depends on technology. Digital systems are now the lifeblood of most companies - they also have the potential to bring about its demise. Given the mission-critical nature of data in nearly every aspect of modern enterprise, organizations are facing not simply escalating risk, but the near- certainty that they will suffer an information security breach. Cyber security threats are evolving with unparalleled speed, complexity and impact, with reported breaches of information security rising annually by more than 50% - organizations are no longer asking “are we secure”, but “how can we ensure that the information most important to our business will be secure enough”?

5 Cyber security threats are constantly evolving

6 Many organizations are still fighting to close the gap Companies have made significant moves to respond to information security threats by addressing vulnerabilities with increased resources, training, governance and integration. However, the number and sophistication of threats has also increased, and is challenging Information Security functions to keep up. As a result, the gap between what Information Security functions are doing and should be doing has widened. The Gap 2006 2016

7 Regulatory focus

8 What are the Regulators Asking? SEC Cyber exams performed in both 2014 and 2015, with continued and increased focus planned for 2016 NAIC (National Association of Insurers Commissioners) April 2015 - Cybersecurity Task Force of the NAIC adopted the Principles for Effective Cybersecurity Insurance Regulatory Guidance FINRA (Financial Industry Regulatory Authority) February 2015, FINRA Released “The Report on Cybersecurity Practices” which discussed the results of their 2014 targeted Cyber Sweep exams. PCAOB (Public Company Accounting Oversight Board) “Information gathering” during 2014 and 2015 examination cycle plus inquiring Big 4 and other accounting firms about organizations’ cyber strategies FFIEC (The Federal Financial Institutions Examination Council) Released a Cybersecurity Self Assessment for firms in June 2015. SIFMA (Securities Industry and Financial Markets Association) SIFMA created a Cybersecurity Resource Center to provide guidance on how organizations should ensure that Cyber Risks are considered in their environment. In addition to the regulatory focus, compliance with the different data protection and data privacy laws is an additional burden on organizations

9 Focus now on response, not just prevent

10 “We fight off 50,000 cyber attacks every day” CEO, global energy organization “The question is not if your company will be breached, or even when. It has already happened. The real questions are: are you aware of it, and how well are you protected for the future?”

11 The importance of staying ahead of Cybercrime As cybersecurity threats evolve with unparalleled speed, complexity and impact, organizations are no longer asking “are we secure?” but “how can we ensure that the information most important to our business will be secure enough?” In today’s connected, information-heavy world, a startling new way of viewing the global business landscape is emerging. Given the mission-critical nature of data in nearly every aspect of modern enterprise — and the astonishing growth in the cyber criminals who seek to undermine it — organizations across all sectors are facing not simply escalating risk, but the near-certainty that they will suffer an information security breach. In fact, the harsh reality of today’s security environment means that they are likely to have experienced it already and that, therefore, there are only two kinds of organization: those that have been breached and know it, and those that remain dangerously oblivious.

12 Protect what is important

13 External network; internal assets External – Protecting the perimeter for all organizations is key, although concept of ‘perimeter’ is diminishing due to: BYOD – each device added is an extension of the ‘perimeter’ Cloud computing and virtualization Increasing use of 3rd parties to perform key business processes, involving data transfer, vendor application systems etc. Internal – The insider threat is one of the key cybersecurity risks and organizations need to seriously consider their security stance from both an external and internal perspective. – Organizations must recognize and prioritize those critical assets and implement the necessary controls to help protect those assets.

14 Understand your business, assets and risks

15 The Cybersecurity framework

16 Cyber insurance

17 APPENDICES

18 Milestones in cyber risk insurance 1997 1999-2002 2003 2004 2013 2014 2015 First internet liability policy was written DotCom bubble, first phase of growth focusing on technology risk First breach notification law passed in the US Choice Point, data breach highly publicized in media. It paid a fine of US$10 million to FTC Target Breach, 40 million card details and 70 million PII compromised NIST, Cyber security framework launched in the US Cyber Essentials, risk management framework launched by the UK government EU Data Protection Directive likely to be approved in 2015

19 Cyber Insurance What does it cover? Cyber insurance covers the losses relating to damage to, or loss of information from, IT systems and networks. Policies generally include significant assistance with and management of the incident itself, which can be essential when faced with reputational damage or regulatory enforcement. Generally, cyber risks fall into first party and third party risks. Insurance products exist to cover either or both of these types of risk. First-party insurance covers your business’s own assets. This may include: Loss or damage to digital assets such as data or software programs Business interruption from network downtime Cyber exhortation where third parties threaten to damage or release data if money is not paid to them Customer notification expenses when there is a legal or regulatory requirement to notify them of a security or privacy breach Reputational damage arising from a breach of data that results in loss of intellectual property or customers Theft of money or digital assets through theft of equipment or electronic theft Third-party insurance covers the assets of others, typically your customers. This may include: Security and privacy breaches, and the investigation, defense costs and civil damages associated with them Multi-media liability, to cover investigation, defense costs and civil damages arising from defamation, breach of privacy or negligence in publication in electronic or print media Loss of third party data, including payment of compensation to customers for denial of access, and failure of software or systems

20 Cyber cover includes first-party as well as third-party losses Third-Party InsuranceFirst-Party Insurance First-party cover applies to losses occurred directly to the insured such as damage to the data and systems of an organization as a result of cyber attack or technological glitch. Costs covered include: Forensic investigation of security breach to assess the impact Notification cost to affected parties such as customers and business stakeholders Regulatory obligations, fees and penalties, expense related to crisis management, credit monitoring, public relations Loss of profits due to business interruption due to network outage or cyber attack Restoration cost for damaged systems and data retrieval due to cyber attack or technical glitch Third-party insurance, or cyber-liability insurance, applies to the defence costs, damages and liabilities to third-parties such as customers, business partners and regulatory agencies. It also includes the policyholder’s actions or omissions while providing technology or consulting services. Costs covered include: Third party claims for damages incurred by customers or business partners and vendors Legal defence cost and regulatory fines and penalties for claims made Civil lawsuits, settlements or judgment related to security breach Media liability covering claims such as infringement of intellectual property, copyright/trademark, libel and slander Claims arising from errors made by technology or consulting companies while providing service

21 The average length which respondents’ worst breaches disrupted operations increased to 7-10 days for small businesses and 5-8 days for large companies in 2014 vs. just 1-2 days on average for both in 2012 Among small businesses, the average time spent on responding to incidents is 12-24 man-days, up from 6-12 man-days in 2013. In large organizations, the effort required was also much higher with an average 45-85 man-days, up from 25-45 man-days in 2013. £600k -£1.15m is the average cost to a large organization of its worst security breach in 2014 (up from £450 - £850k a year ago) £65k -£115k is the average cost to a small business of its worst security breach in 2014 (up from £35 - £65k a year ago) In fact, 10% of organizations in UK that suffered a breach in the last year were so badly damaged by the attack that they had to change the nature of their business. The cost of data breach from cyber attack The average cost of the worst breach suffered has gone up significantly particularly for small businesses Time taken to address breach has also gone up substantially

22 Cyber Loss Spectrum 1 st Party3 rd Party Financial Tangible Cyber Loss Spectrum Any major cyber event will result in  PR, response, and continuity costs  Immediate and extended revenue loss  Restoration expenses  Defense costs Third parties will seek to recover  Civil penalties and awards  Consequential revenue loss  Restoration expenses Physical damage is possible  1 st party property damage  1 st party bodily injury Physical damage may cascade to others  3 rd party property damage  3 rd party bodily injury

23 2016 Aon Captive Cyber Benchmarking Survey Source: 2016 Aon Captive Cyber Benchmarking Survey by Industry Cyber—The Fast Moving Target: Benchmarking views and attitudes by industry: http://www.aon.com/risk-services/cyber.jsp

Download ppt "How can your Captive help you manage Cyber risks?."

Similar presentations

Insurance in the Cloud Ben Hunter, Canadian Underwriting Specialist Technology Insurance Specialty Chubb Insurance Company of Canada.

Insurance in the Cloud Ben Hunter, Canadian Underwriting Specialist Technology Insurance Specialty Chubb Insurance Company of Canada.
Presented at: Ctuit Software and Lathrop & Gage LLP Food & Hospitality Roundtable San Francisco, CA April 29, 2013 Presented by: Leib Dodell, Esq.

Presented at: Ctuit Software and Lathrop & Gage LLP Food & Hospitality Roundtable San Francisco, CA April 29, 2013 Presented by: Leib Dodell, Esq.
Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.

Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
Cyber Insurance Today: Lots of Interest, Lots of Product Innovation, and Lots of Risk Richard S. Betterley, CMC Betterley Risk Consultants, Inc. Sterling,

Cyber Insurance Today: Lots of Interest, Lots of Product Innovation, and Lots of Risk Richard S. Betterley, CMC Betterley Risk Consultants, Inc. Sterling,
Lockton Companies International Limited. Authorised and regulated by the Financial Services Authority. A Lloyd’s Broker. Protecting Your Business from.

Lockton Companies International Limited. Authorised and regulated by the Financial Services Authority. A Lloyd’s Broker. Protecting Your Business from.
Forensic and Investigative Accounting Chapter 16 Cybercrime Loss Valuations © 2011 CCH. All Rights Reserved. 4025 W. Peterson Ave. Chicago, IL 60646-6085.

Forensic and Investigative Accounting Chapter 16 Cybercrime Loss Valuations © 2011 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL
Financial Institutions – Cyber Risk Managing Cyber Risks In An Interconnected World State Compensation Insurance Fund Audit Committee Meeting – February.

Financial Institutions – Cyber Risk Managing Cyber Risks In An Interconnected World State Compensation Insurance Fund Audit Committee Meeting – February.
Presented by: Jamie Orye, JD, RPLU Beazley Group Pennsylvania Association of Mutual Insurance Companies Annual Spring Conference March 12, 2015.

Presented by: Jamie Orye, JD, RPLU Beazley Group Pennsylvania Association of Mutual Insurance Companies Annual Spring Conference March 12, 2015.
2 3 4 5 6 www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Presented by: Paul J. Miola, CPCU, ARM Executive Director October, 2013.

Presented by: Paul J. Miola, CPCU, ARM Executive Director October, 2013.
BACKGROUND  Hawkes Bay Holdings/Aquila Underwriting LLP  Established 2009 utilising Lloyd’s capacity: Canopius 4444 50% Hiscox 33 50% to May 2010, replaced.

BACKGROUND  Hawkes Bay Holdings/Aquila Underwriting LLP  Established 2009 utilising Lloyd’s capacity: Canopius % Hiscox 33 50% to May 2010, replaced.
Cyber Risk Enhancement Coverage. Cyber security breaches are now a painful reality for virtually every type of organization and at every level of those.

Cyber Risk Enhancement Coverage. Cyber security breaches are now a painful reality for virtually every type of organization and at every level of those.
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
Overview of Cybercrime

Overview of Cybercrime
Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011.

Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011.
BITS Proprietary and Confidential © BITS 2003. Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.

BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter Meeting Thursday, July 25, 2013 11:30 am – 12:30 pm.

WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter Meeting Thursday, July 25, :30 am – 12:30 pm.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
AUGUST 25, 2015 Cyber Insurance:

AUGUST 25, 2015 Cyber Insurance:

Similar presentations

Ads by Google