Transcription
A FRAMEWORK FOR MANAGING CYBER RISKAPRIL 2015
A FRAMEWORK FOR MANAGING CYBER RISKCYBER RISK IS HERE TO STAY“Even an unlimited budget for informationsecurity will not eliminate your cyber risk.”— Tom ReaganMarsh Cyber Practice Leader2
A FRAMEWORK FOR MANAGING CYBER RISKSIMPLIFIED CYBER RISK MANAGEMENT FRAMEWORKManageAssess Prevent Prepare TransferRespondRemediate3
A FRAMEWORK FOR MANAGING CYBER RISKMANAGING CYBER RISK ACROSS THE ENTERPRISEMaking cyber risk a corporate risk management issue means engaging areas across theenterprise, including: Finance.Legal.Compliance.Operations.HR.Board.IT.4
A FRAMEWORK FOR MANAGING CYBER RISKREGULATORY SCRUTINY INCREASINGFour steps to managing regulatory scrutiny:1.2.3.4.Don’t leave cyber risk to just the IT department.Look beyond attack prevention.Connect your plans to external stakeholders and resources.Include risk transfer as part of the approach.5
A FRAMEWORK FOR MANAGING CYBER RISKTHREAT LANDSCAPENUISANCEDATA THEFT ss &Economic,Propagation PoliticalAdvantageFinancialGainDefamation,Press & PolicyDisruptOperationsEXAMPLEBotnets &SpamAdvancedPersistentThreat GroupCredit CardTheftWebsiteDefacementsDeletion of DataTARGETED nisticConspicuousConflict DrivenSource: Mandiant6
A FRAMEWORK FOR MANAGING CYBER RISKWHAT’S AHEAD2015 and beyond More destructive attacks?Attribution will be more important.Counter-forensics will improve.Attacks will align with conflicts.More threat actors will emerge.More government involvement.A return to standards for nonregulated industries.More reliance on the cloud.More active defense (hunting).Cyber security will continue to be aboard issue.Source: Mandiant7
A FRAMEWORK FOR MANAGING CYBER RISKSECURITY OPERATIONS CHALLENGESTools & TechnologyIncident Response Lack endpoint detection. No live response. Data (event) overload. Slow searches. Rely on signaturebased detection. Needle in a haystack.Source: MandiantGovernance No threat intel. Lack of intel context. No hunting. Ability to quickly sweepand contain. Leverage analytics andanomaly detection. Wide mission. Lack required skill sets. Compliance burden. R&R do not alignwith organizationalmodel.
A FRAMEWORK FOR MANAGING CYBER RISKEFFECTIVE CYBER DEFENSEMinimize organizational risk and allow business tofunction while under continuous attack. Predictive — Continuously measureenterprise attack surface and model potentialthreat vectors targeted at critical assets anddata. Proactive — Hunt for intrusions. Discover andremediate / compensate for vulnerabilities. Responsive — Rapid analysis andcontainment of threats.TechnologyProcessAdvancedCyber DefenseCapabilitiesIntelligenceSource: Mandiant
A FRAMEWORK FOR MANAGING CYBER RISKEFFECTIVE CYBER DEFENSE: INDICATORS OF COMPROMISE Hunting the network provides the capability to conductproactive analysis to develop new indicators ofcompromise (IOC).– Mining historical data.– IOC sweeps. A mature IOC capability includes:– Dedicated individuals to design and build IOCs.– Develop and update IOCs regularly (IOC editor).– Processes and tools in place to actively checksystems for IOCs. Post-incident, hunting assists in ensuring remediationand eradication activities are successful.Source: Mandiant
A FRAMEWORK FOR MANAGING CYBER RISKINTELLIGENCE IS KINGCommodityCuratedCommunitySource: Mandiant Generated from commodity malware analysis.o Structured output — artifacts, domains, MD5s. Generated from FireEye research and profiling.o Unstructured output; APT groups, TTPs, landscape. Generated by sharing with industry partners.o Structured and unstructured outputs, validate intelligence.
A FRAMEWORK FOR MANAGING CYBER RISKCYBER RISK: A RISK MANAGER’S VIEW Cyber risk at John Deere means:1. The risk of unauthorized access to personally identifiable information (PII).2. The risk from employee health and HR records, intellectual property, and credit cardtransactions. Focus has been on PII:– How much we have.– Where and how it’s stored.– What we would do if it was lost. Deere is known as a manufacturer, but has a substantial captive finance unit.Source: Deere & Co.12
A FRAMEWORK FOR MANAGING CYBER RISKCYBER RISK MANAGEMENT EVOLVES Cyber insurance:– At Deere, cyber tower has evolved from an engineering E&O policy covering a smallcontract electronics manufacturing operation that we acquired.– Each year we gain a greater understanding of cyber exposures.– Closer attention to policy terms and limits, increasing limits at several renewals.– Able to demonstrate a robust insurance program to C-suite. Risk management:– Learned that there are many cyber stakeholders.– Effective cyber insurance needs to be aligned with their interests.– IT, legal, compliance, and security.– Build relationships and partnerships.– They, in turn, appreciate our understanding of the risks and the company’s exposures.Source: Deere & Co.13
A FRAMEWORK FOR MANAGING CYBER RISKCYBER IDEAL: PRIVACY EVENT MODEL14
A FRAMEWORK FOR MANAGING CYBER RISKRISK MANAGEMENT EVOLUTION“When the C-suite asked about cyber, wewere able to demonstrate that a robustinsurance program was already in place.”— James P. MorleyManager, Risk Analysis, Deere & Co.15
A FRAMEWORK FOR MANAGING CYBER RISKCYBER INSURANCE: CATEGORIES OF RISKCOVERAGEDESCRIPTIONInformation Asset LossThe cost to restore data compromised or deleted during anetwork attack.Cyber Extortion Expenses Costs to pay an extortionist’s demands.Business interruption and Reimbursement of lost business income and extra expenseExtra Expensefollowing a network failure, including coverage for contingentbusiness interruption.Privacy and NetworkSecurity Liability Investigation, assessment, and notification costs in the eventof a data breach.Defense and liability resulting from a claim for a securitybreach.Defense and liability resulting from a claim for a privacybreachCounsel for a privacy regulatory proceeding or investigationIndemnification of any fines or penalties assessed by theregulator from the privacy breach.16
A FRAMEWORK FOR MANAGING CYBER RISKSUPPLY CHAIN DISRUPTIONSUnplanned network outages: The most significant supply chain disruption exposure.High ImpactSome 19720126585872945Source: Zurich17
A FRAMEWORK FOR MANAGING CYBER RISKCYBER AND PROFESSIONAL LIABILITY: HOW DO THEY OVERLAP?Coverage: Security& Privacy (Cyber)Coverage:ProfessionalLiability (E&O)Liability coveredclaims: Third-partydamages resultingfrom a failure ofsecurity or privacycontrols.Covered claims:Third-party damagesresulting fromprofessional negligence.Example: Loss ofemployee PII.Example: Error insoftware that deletesdata stored on customercomputers.Third-party damages resulting from coincidence of control failureand professional negligence.Example: Security breach that discloses customer information.18
A FRAMEWORK FOR MANAGING CYBER RISKCYBER INSURANCE RATESUS HISTORICAL RATE (TOTAL PRICE PER MILLION) CHANGES – CYBER LIABLIITYAll companiesCompanies – revenues of 1B Companies – revenues less than 0%2.70%2.10%1.40%1.00%0.30%2013 Q12013 Q22013 Q32013 Q4-0.10%2014 Q12014 Q22014 Q30.00%2014 Q42015 Q119
A FRAMEWORK FOR MANAGING CYBER RISKCyber Insurance PurchasingFor a copy of As Cyber ConcernsBroaden, Insurance Purchases Rise,please visit marsh.com, ask your Marshrepresentative, or send a request toquestions@marsh.com.
This document and any recommendations, analysis, or advice provided by Marsh (collectively, the “Marsh Analysis”) are not intended to be taken as adviceregarding any individual situation and should not be relied upon as such. This document contains proprietary, confidential information of Marsh and may not beshared with any third party, including other insurance producers, without Marsh’s prior written consent. Any statements concerning actuarial, tax, accounting, orlegal matters are based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as actuarial, accounting, tax, or legaladvice, for which you should consult your own professional advisors. Any modeling, analytics, or projections are subject to inherent uncertainty, and the MarshAnalysis could be materially affected if any underlying assumptions, conditions, information, or factors are inaccurate or incomplete or should change. Theinformation contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Except as may be set forth inan agreement between you and Marsh, Marsh shall have no obligation to update the Marsh Analysis and shall have no liability to you or any other party withregard to the Marsh Analysis or to any services provided by a third party to you or Marsh. Marsh makes no representation or warranty concerning the applicationof policy wordings or the financial condition or solvency of insurers or reinsurers. Marsh makes no assurances regarding the availability, cost, or terms ofinsurance coverage.Marsh is one of the Marsh & McLennan Companies, together with Guy Carpenter, Mercer, and Oliver Wyman.Copyright 2015 Marsh LLC MA15-13380All rights reserved.
Source: Mandiant . Minimize organizational risk and allow business to . (IOC editor). – Processes and tools in place to actively check systems for IOCs. Post-incident, hunting assists in ensuri
