Systemic Cyber Risk and Cyber Insurance. February 14, 2018

Transcription

1 Systemic Cyber Risk and Cyber Insurance February 14, 2018

2 Questions 1. How big is the problem? 2. Have recent massive attacks affected the industry? 3. Where is the market headed? 4. How will government policy, regulation, and jurisprudence affect the issue?

3 The Equation for Risk R = VTC Risk is a product of Vulnerability, how exposed are your data and network? Threat, how targeted are your cyber assets? Consequences, what is the impact of the event? 2

4 Business Blackout Lloyd s, July 2015 Lloyd s analyzed the effects of a major attack on U.S. power and utilities. THESIS: A cyber attack on the U.S. power grid in the Northeast United States would result in the loss of lives, economic loss of as much as a trillion dollars, disruption of water and transportation, and potentially more than $70 billion in insurance clams. Total impact to the U.S. economy was estimated at $243 billion, but could top $1 trillion in the most extreme version of the scenario. A December attack on the Ukrainian power grid is acknowledged as the first cyber attack to cause a power outage. A second power outage resulted from another attack a year later. February 9,

5 Presidential Commission on Enhancing National Cybersecurity April - December 2016 Followed up Executive Order 13636: Improving Critical Infrastructure Cybersecurity and Presidential Policy Directive-21: Critical Infrastructure Security and Resilience Offered 53 cybersecurity recommendations. Typical goals increase awareness, more assessment. But know that Even if industry was meeting a higher standard, it still could not protect itself from technological interdependency. Nontechnical aspects of cybersecurity are as important as cybersecurity technology. The U.S. government bears the ultimate responsibility leads to regulation where public safety and security are at risk. 4

6 Defining Systemic Cyber Risk World Economic Forum - October 2016 What is Systematic Cyber Risk? We currently lack the common lexicon Working definition 1. Cyber event within critical infrastructure ecosystem 2. Cause significant delay, denial, breakdown, disruption or loss, 3. Consequences cascade into related ecosystem components 4. Significant adverse effects to public health or safety, economic security or national security. February 9,

7 16 17 Sectors of Critical Infrastructure DHS added election systems in January 2017 Key Question: Are you Section 9? 6

8 DYN - Vulnerability by Interdependency September / October 2016 Internet of Things devices, built for basic consumer use, were used to create large-scale botnets networks of devices infected with self-propagating malware that executed crippling distributed denial-of-service (DDoS) attacks. Two large and complex DDoS against DYN s Managed Domain Name System. October Mirai Botnet Attack launches massive Distributed Denial of Services Attacks Affected approximately 145,000 domains (Twitter, Reddit, CNN, PayPal) US-CERT, Alert (TA-288a): Heightened DDoS Threat Posed by Mirai and Other Botnets, (Oct. 17, 2016), February 9,

9 The Fourth Industrial Revolution Expands the Attack Surface (i.e., No Wonder This Is Happening) Currently there are more than 8 billion connected devices in operation By 2020, there will be 21 billion connected devices, with half connecting to Industrial Control Systems. 8

10 The Markets are Paying Attention As Well December 2016 AIG report defines Systemic Cyber Risk as an event capable of impacting many companies at the same time. How likely is it that one systemic attack will impact multiple companies in the next 12 months? February 9,

11 Protecting Against Cyber Risk Aggregation Tools to prevent cyber risk aggregation include Policy Language Underwriter Submissions External Assessments Tracking Silent Cyber Source, AIR Worldwide

12 MONGO DB January 2017 MongoDB is an open source platform used to store unstructured data. When installed with default settings, for example, MongoDB allowed anyone to browse the databases, download them, or even write over them and delete them. Ransomware attacks in January 2017 erased approximately 29,000 MongoDB databases. Source: February 9,

13 Lloyd s Counting the Cost July 2017 Designed to increase insurers and risk managers understanding of cyber-risk liability and aggregation. Analyzed the potential economic impact of two scenarios: 1. Hacktivist attack causes cloud-based customer servers to fail, leading to widespread service and business interruption. Insured losses range from US$620 million for a large loss to US$8.1 billion for an extreme loss. 2. Disclosure of a widespread vulnerability for an operating system results in widespread attacks. Losses range from US$762 million (large loss) to US$2.1 billion (extreme loss). How much of the loss will insurance cover? February 9,

14 Raising the Stakes of Cybersecurity WannaCry and NotPetya May 2017: Wanna Cry malware guickly spread globally to infect more than 300,000 computers in 150 countries. In the UK, more than 80 National Health System hospitals were impacted. North Korea has acted especially badly, largely unchecked, for more than a decade... WannaCry was indiscriminately reckless. 1 Manufacturers, transport and logistic companies, pharmaceutical firms and utilities reportedly suffered over $1 billion in economic losses in the aggregate. 1 It s Official: North Korea Is Behind WannaCry, by Thomas P. Bossert, WALL STREET JOURNAL (Dec. 18, 2017). (accessed at February 9,

15 MELTDOWN and SPECTRE January 2018 Nearly every computer chip manufactured in the last 20 years contains fundamental security flaws. The flaws arise from features built into chips that help them run faster. Patches exist, but can impacts performance. No evidence of exploitation yet So fundamental and widespread, security researchers the vulnerabilities catastrophic. February 9,

16 IoT Regulation President Trump issued an order requiring Commerce and DHS identify actions to mitigate botnets. Sets five (5) goals for securing the IoT ecosystem : 1. Identify a clear pathway toward an adaptable, sustainable and secure technology marketplace. 2. Promote innovation in the infrastructure for dynamic adaptation to evolving threats. 3. Promote innovation at the edge of the network to prevent, detect and mitigate bad behavior. 4. Build coalitions between the security, infrastructure and operational technology communities domestically and around the world. 5. Increase awareness and education across the ecosystem. 15

17 Market Transparency of Cyber Risk Thus far, little use of SEC enforcement power to regulate cyber risk On May 11, the White House mandated the development of practices and policies to promote appropriate market transparency of cyber risk management. 16

18 Sector Specific Regulation Based on the NIST Framework, more sector specific agencies are requiring different protocols and practices. States are also adopting new cyber regulations Inevitably, the regulation of cybersecurity will set minimal practices of what is reasonably expected to protect systems and data. Failure of these minimal standards will lead to civil cyber liability. 17

19 GDPR is Coming Security breach notification Accountability & privacy impact assessments Extraterritorial reach for EU data abroad Restrictions on secondary uses Enhanced enforcement; significant fines: 2-4% of global revenue Individual rights The GDPR will change not only the European Data Protection laws but nothing less than the whole world as we know it. Jan Philipp Albrecht, Member of the European Parliament Notice & consent requirements DPO requirements 18

20 The Weakest Link Human Beings Remain a Systemic Vulnerability 91% of cyber attacks start with a phishing . - DarkReading, December

21 Marsh is one of the Marsh & McLennan Companies, together with Guy Carpenter, Mercer, Oliver Wyman. This document and any recommendations, analysis, or advice provided by Marsh (collectively, the Marsh Analysis ) are not intended to be taken as advice regarding any individual situation and should not be relied upon as such. This document contains proprietary, confidential information of Marsh and may not be shared with any third party, including other insurance producers, without Marsh s prior written consent. Any statements concerning actuarial, tax, accounting, or legal matters are based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as actuarial, accounting, tax, or legal advice, for which you should consult your own professional advisors. Any modeling, analytics, or projections are subject to inherent uncertainty, and the Marsh Analysis could be materially affected if any underlying assumptions, conditions, information, or factors are inaccurate or incomplete or should change. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Except as may be set forth in an agreement between you and Marsh, Marsh shall have no obligation to update the Marsh Analysis and shall have no liability to you or any other party with regard to the Marsh Analysis or to any services provided by a third party to you or Marsh. Marsh makes no representation or warranty concerning the application of policy wordings or the financial condition or solvency of insurers or re-insurers. Marsh makes no assurances regarding the availability, cost, or terms of insurance coverage. Copyright Marsh LLC. All rights reserved. Compliance MA