Professional Documents
Culture Documents
6 Conclusions
What is Cyber Risk?
Table 1: Taxonomy of Operational Risk
1. Actions of People 2. Systems and 3. Failed Internal 4. External Events
Technology Failures Processes
1.1 Inadvertent 2.1 Hardware 3.1 Process design or 4.1 Disasters
1.1.1 Mistakes 2.1.1 Capacity execution 4.1.1 Weather event
1.1.2 Errors 2.1.2 Performance 3.1.1 Process flow 4.1.2 Fire
1.1.3 Omissions 2.1.3 Maintenance 3.1.2 Process 4.1.3 Flood
2.1.4 Obsolescence documentation 4.1.4 Earthquake
1.2 Deliberate 3.1.3 Roles and 4.1.5 Unrest
responsibilities
1.2.1 Fraud 2.2 Software 4.1.6 Pandemic
3.1.4 Notifications and
1.2.2 Sabotage 2.2.1 Compatibility
alerts
1.2.3 Theft 2.2.2 Configuration 4.2 Legal issues
management 3.1.5 Information flow
1.2.4 Vandalism 4.2.1 Regulatory
2.2.3 Change control 3.1.6 Escalation of issues
compliance
2.2.4 Security settings 3.1.7 Service level
1.3 Inaction 4.2.2 Legislation
agreements
1.3.1 Skills 2.2.5 Coding practices 4.2.3 Litigation
3.1.8 Task hand-off
1.3.2 Knowledge 2.2.6 Testing
4.3 Business issues
1.3.3 Guidance 3.2 Process controls
1.3.4 Availability 2.3 Systems 4.3.1 Supplier failure
3.2.1 Status monitoring
2.3.1 Design 4.3.2 Market conditions
3.2.2 Metrics
2.3.2 Specifications 4.3.3 Economic conditions
3.2.3 Periodic review
2.3.3 Integration
3.2.4 Process ownership
2.3.4 Complexity 4.4 Service dependencies
4.4.1 Utilities
3.3 Supporting
processes 4.4.2 Emergency services
3.3.1 Staffing 4.4.3 Fuel
3.3.2 Funding 4.4.4 Transportation
3.3.3 Training and
development
3.3.4 Procurement
How is cyber risk defined in insurance?
– Common 1st Party Insurance Coverage
• Investigation costs, crisis management, notification costs, credit
monitoring, restoration of data resulting from
Theft of identities or private information
Unauthorized access to data/computer networks
June 2012-Apr 2014 Jan 2014-Apr 2014 Neiman Dec 2013-Apr 2014 The
LinkedIn faces accusations Marcus confirmed that its data breach that exposed
of fraud in a class-action database of customer information personal information of up
lawsuit stemming from a was hacked last month, around to 70 million individuals
data breach its systems mid-December, the same time that has resulted in more than
suffered almost two years Target stores were targeted 80 lawsuits against the
ago. In June 2012, hackers Minneapolis-based
infiltrated the professional It has been reported that the retailer, which revealed in
networking site and posted breach at Neiman Marcus could as December that malware
passwords of 6.5 million far back as July 2013 and that the on its checkout registers
LinkedIn members, and the breach was not fully contained also led to the cyber theft
plaintiff in the suit has until Sunday January 12, 2014. of sensitive financial
claimed the site information from some 40
misrepresented its security 1.1M+ Records million credit and debit
measures. (encryption card accounts.
standards weaker than
industry) 70M+ Records
6.5M+ Records
Percent of breaches that remain undiscovered
for months or more*
0.8
0.7
0.67 0.66
0.6
0.55 0.55
0.5 0.44
0.4 0.41
0.3
0.2
0.1
0
2008 2009 2010 2011 2012 2013
Jan 2013 - U.S. Homeland Security Secretary Janet Napolitano warned that a major cyber attack
is a looming threat and could have the same sort of impact as last year’s Superstorm Sandy.
Napolitano said a “cyber 9/11” could happen “imminently and that critical infrastructure –
including water, electricity, and gas – was very vulnerable to such a strike.
Which industries have been most impacted
(non-insurance view)?
According to the 2013 Cost of Cyber Crime Study by the Ponemon Institute,
three industries have had the highest average annualized cost of cyber
crime in the last three years. In 2013 the average annualized cost was:
– Defense: $20.3M
Industrial Consumer Hospitality Retail
– Utilities & Energy:
4% $19.1M
Products 3% 2% Defense
3% Financial Services
– Financial Services: $16.8M
Healthcare
5% Defense Utilites & Energy
17%
Education & Research
Public
Sector Communications
5%
Transportation
Services Financial Services Technology
5% 14%
Services
Public Sector
Utilites & Energy
16% Healthcare
Technology Industrial
6%
Transportation Consumer Products
Education &
5%
Research Communications Hospitality
8% 7%
Which industries have been most impacted
(insurance view)?
According to the 2013 Cyber Liability & Data Breach Insurance Claim Study by
NetDiligence, three industries have had the highest number of claims in the
last three years. In 2013 the number of claims surveyed were:
– Healthcare: 29.3% of claims
Retail Financial Services
– Retail: 12.8% of claims 13% Utilites & Energy
Financial Services
15% Education & Research
Communications
Transportation
Technology
Services
Public Sector
Healthcare Healthcare
29% Industrial
Consumer Products
Hospitality
Retail
When should organizations be concerned about
their cyber risk exposure?
Organizations should be concerned about cyber risk if they:
– Gather, maintain, disseminate or store private information
– Have a high degree of dependency on electronic processes or computer networks
– Engage vendors, independent contractors or additional service providers
– Are subject to regulatory statutes
– Are required to comply with PCI Security Standards/Plastic Card Security statutes
– Are concerned about contingent bodily injury and property damage that may
result from cyber incidents
– Rely on or operate critical infrastructure (Personally Identifiable Information risks
are less prominent for industries such as utilities, manufacturing and logistics)
– Are concerned about intentional acts by rogue employees
– Are a public company subject to the SEC Cyber Disclosure Guidance of 2011
How do you use external data (Various sources with many different views)
How do you map data sources to insurance and limit of liability contracts?
• Quantify the aggregate exposure to Cyber risk (1st and 3rd party) in
any given quarter
2.00
Estimated Mean Frequency
1.50
1.00
0.50
-
Denial of Malicious Malicious Phishing & Web-based Botnets Stolen & Malware Viruses,
service insiders code social attacks lost devices worms,
engineering trojans
Attack Type
Estimated Mean Severity (μ)
Estimated Mean Severity per Attack
400
Estimated Mean Severity ($Thousands)
300
200
100
-
Malware Botnets Viruses, Web-based Stolen & Malicious Phishing & Malicious Denial of
worms, attacks lost devices insiders social code service
trojans engineering
Attack Type
Security Provisions that Modified Our Results
Frequency
20% Conversion
Industry Attacks/ 1,000 Enterprise
Rate Incident >
Seats
Dollar Loss
Industry: SIEM :
Client frequency 6.5% Client frequency 20%
higher due to lower due to use of
customer industry mix SIEM technologies
Severity Model
Encryption:
SES:
Client Stolen & Lost
Client severity 25%
Devices Only severity
lower due to security
5.0% lower due to
posture
encryption standards
Cyber Risk Model Build– High Level
Total Client Frequency = Number of
Attacks per unit of
Cyber Risk Losses= Viruses, Worms, Trojans
Exposure
Exposure = number of
Frequency Malware staff w/ unencrypted
access to customer data
…
Case Study:
Cyber Risk Modeling Results
Unlimited Losses by Attack Type
Viruses/worms/trojans and
malware have the highest
estimated frequencies, but have
the 3rd lowest, and lowest
severities, respectively
TVaR @ 95% $ 1,250.0 $ 250.0 $ 75.0 $ 750.0 $ 3,750.0 $ 1,990.0 $ 500.0 $ 1,400.0 $ 350.0
Current Program Analysis
The Current Program provides
catastrophic loss protection
– Compared to purchasing no
insurance (Unlimited Loss), the
Current Program provides
catastrophic loss protection of
$5.0 million as measured by
TVaR at the 95th percentile, and
it results in a Mean TCOR
decrease of $75,000
• Current Program does a
good job of lowering both
the Mean TCOR and TVaR @
95%
$ in millions
Criteria Unlimited Loss Current Program
Mean Losses $575,000 $300,000
Estimated Premium $250,000
Mean TCOR $575,000 $500,000
TVaR @ 95% $8,000,000 $5,000,000
Case Study Conclusions
• Client has significant exposure to cyber risk
• Stolen/lost devices and denial of service attacks are the single largest sources
of risk to the organization
• Current insurance limit of $XXM is very modest compared to the overall risk to
the organization. Additional risk transfer methods should be considered.
• Security measures and controls are some of the best in the industry, but cyber
risk continues to exist through potential break-downs in those controls
• It is important for the organization to measure this risk and make a conscious
decision on the appropriate level of risk for Client
Conclusions
Conclusions
• Cyber crimes have become common occurrences and continue to be costly to
organizations
• Actuaries can help quantify cyber risk through the use of stochastic modeling
and available industry data
Data Reliance
In conducting this analysis, we relied upon the provided data without audit or independent verification; however, we
reviewed it for reasonableness and consistency. Any inaccuracies in quantitative data or qualitative representations could
have a significant effect on the results of our analysis.
SES Score
Appendix 2 – PCI DSS
What is PCI?
A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL
companies that process, store or transmit credit card information maintain a secure environment. Essentially any
merchant that has a Merchant ID (MID).
The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the
ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account
security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC
(www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa,
MasterCard, American Express, Discover and JCB.).
It is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.
ISO/IEC 27001:2005 formally specifies a management system that is intended to bring information security
under explicit management control. Being a formal specification means that it mandates specific requirements.
Organizations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified
compliant with the standard.
TDES is a method for encrypting data in 64-bit blocks using three 56-bit keys by combining three successive
invocations of the DES algorithm. ANSI X9.52 specifies seven modes of operation for TDES and three keying
options: 1) the three keys may be identical (one key TDES), 2) the first and third key may be the same but
different from the second key (two key TDES), or 3) all three keys may be different (three key TDES). One key
TDES is equivalent to DES under the same key; therefore, one key TDES, like DES, is currently allowed only
for legacy systems, but will not be approved after 2004. Two key TDES provides more security than one key
TDES (or DES), and three key TDES achieves the highest level of security for TDES. NIST recommends the
use of three different 56-bit keys in Triple DES for Federal Government sensitive/unclassified
applications.
FIPS 197, Advanced Encryption Standard (AES). The encryption algorithm specified in FIPS 197 is the result
of a multiyear, worldwide competition to develop a replacement algorithm for DES. The winning algorithm
(originally known as Rijndael, but hereafter referred to as the AES algorithm) was announced in 2000 and
adopted in FIPS 197 in 2001. The AES algorithm encrypts and decrypts data in 128-bit blocks, with three
possible key sizes: 128, 192, or 256 bits. The nomenclature for the AES algorithm for the different key sizes is
AES-x, where x is the size of the AES key. NIST considers all three AES key sizes adequate for Federal
Government sensitive/unclassified applications
Appendix 5 - SIEM
Security Information Event Management is normally referred to as SIEM and is typically a collection of two
technologies, Security Information Management (SIM) and Security Event Management (SEM).
Security Information Management is also often referred to as Log Management, with Security Event Management
often referred to as the Correlation Engine portion of SIEM.
The Log Management layer should be able to collect accounting and audit logs at large volumes, where as the
Correlation Engine should be able to analysis the logs, picking out important behaviours and flagging them for review
via alerts.
It is unusual, but not unheard of for vendors to only provide one of the solutions, either SIM or SEM, to the market, for
example, Splunk and LogLogic are known as having strong SIM capability but poor SEM capability and Arcsight and
RSA have strong SEM capability but poor SIM capability. All these vendors added extra capabilities in an attempt to
address their weakness. It might be worth going for a product that has strong capabilities across both SIM and SEM,
sign-up for our Webcast (below) for some recommendations from independent experts.
The problem with any SIEM solution is that it will collect logs from across the enterprise, millions of them! If you are
collecting these logs, you are likely to want to look at them, and that is where the problem lies.
There is no doubt log analysis improves your risk profile. In fact the Data Breach Report from Verizon clearly states
that in over 90% of the cases they investigated over the last five years, evidence of your breach was in the log file. If
someone was conducting a thorough analysis of the logs at the time of the breach the breach would have been
detected and could have been shut down.
It is therefore critical that any SIEM solution your are looking for has the capability to find "behaviours", rather than
single events and just as important that creating the behavioural rules is easy and intuitive, not requiring vendor
support to do so, as your team will be creating a number of them on an ongoing basis.