COPE-ing with Cyber Risk Exposures Russ Cohen, Chubb Ron Bushar, Mandiant Consulting September 22, 2016 1 Agenda The Challenge Transforming COPE to Cyber COPE Evaluating Risk for Cyber COPE Questions 2 1
Pop Quiz Part 1 Property Assessment 1. How many floors are in your office building? 2. Can you name three materials that your office building is made of? 3. Does your building have a central alarm system? Part 2 Cyber Assessment 1. Does your company encrypt all sensitive data at-rest and in-transit? 2. Does your company have firewalls at all Internet access points? 3. Does your company use any unsupported software? 3 The Challenge Question: If the number of floors in your building or the age of your sprinkler system can be used to help assess your commercial property risk, why can t the number of computers in your company be used to more accurately assess cyber risk? Answer: It can! By applying COPE, a time-tested property underwriting model, to technology to improve the overall quality of cyber underwriting and data intelligence. 4 2
COPE Insurance Underwriting Framework Occupancy Protection Construction COPE Exposure 5 What makes COPE effective for property? It s simple to understand Provides objective data points Provides subjective data points Balance of objectivity and subjectivity Use of publicly available information Promotes discussions on loss control 6 3
Introducing Cyber COPE A new model for cyber underwriting, intended to simplify and improve the assessment of both cyber and privacy risks with four primary goals: 1. Accessible to both technical and non-technical audiences 2. Provide both objective and subjective measurements 3. Foster information sharing so that organizations can learn from each other to help mitigate future losses 4. Present opportunities for innovation by the insurance and security industry 7 Transforming COPE to Cyber COPE COPE Cyber COPE Measurement Sample Data Elements Construction Components Objective Occupancy Organization Objective Protection Protection Subjective Exposures Exposures Subjective Number of endpoints and network connections, software versions, and data center locations Policyholder s industry, quality of IT and security related policies, and use of industry standards Data retention policies, firewalls, monitoring, and incident response/response readiness policies Political or criminal motivation, types of outsourcing, and type/amount of sensitive information 8 4
Existing Cyber COPE Implementations Chubb s Global Cyber Facility Policy Cyber COPE used as the basis for the insurance application for Chubb s Global Cyber Facility Worked with strategic partners within the cyber security industry to develop a set of questions that provides the necessary data elements Shown to help guide collaborative conversations between carriers, brokers and policyholders for assessing large risks Helped to identify opportunities for loss control 9 Cyber Insurance Risk Assessment Designed to provide high-level assessment of organization s risk level based on investments it has made in technology, people and process Based on Cyber COPE framework 10 5
Expanded Domain Descriptions Components: Evaluate Information Security program including identifying strengths or challenges with current policies, standards or procedures, staffing, leadership awareness, audit and compliance practices. Review the current processes and policies in place to manage Information Security Incidents, breach notification, and crisis management processes to assess the preparedness of the organization to manage an incident and recover rapidly Organization: Review data management processes, including classification policies, technical controls to manage data, encryption usage requirements, data retention policies, and backup and recovery policies and procedures. Review asset management processes, tools, policies, and standard asset build and control requirements to assess if the organization currently proactively manages risks associated with endpoints, such as laptops, servers, mobile device. Protection: Review existing people, processes, and technologies deployed to detect, analyze, escalate, respond to, and contain advanced attacks. Topics include visibility, operational security capabilities, and incident response. Exposure: Review the industry, and type of business, and geographic regions that the company performs business in, and perform an assessment of the threat landscape. Review the existing processes and policies to identify business and Information Security risks and their effectiveness. Review the system and network maintenance policies and processes, determine if the existing controls are appropriate to the risks that have been identified. This includes processes and policies for vulnerability assessment and remediation, logging requirements and log management, end point, cloud, and mobile protection and logging, and internal or external penetration testing and remediation of identified vulnerabilities. 11 Final Deliverable: Risk Outcome The final deliverable contains a listing of the various domain specific risk results with recommendations for improving upon these findings. Domain Subdomain Recommendation Components Example: Security Program Example: Establish Information Security Organization as peer to IT Organization to ensure adequate funding and prioritization of security initiatives. Organization Example: Data Management Example: Implement a Data Classification Program to ensure the proper identification, marking, and monitoring of sensitive data types. Protection Example: Operations Example: Implement a Vulnerability Management plan that details the schedule, processes, and SLAs for remediating discovered vulnerabilities Exposure Example: Hygiene Example: Develop a Log Retention Policy that dictates how logs are to be stored, for how long, and who has the responsibility for ensuring these criteria are met 12 6
Deliverables & Benefits Deliverables Cyber Insurance Risk Assessment Report Executive Summary Identification of Current Capabilities and Risk Levels by Domain Strategic Improvement recommendations Executive Presentation Threat Assessment Report Benefits Identification, classification, and analysis of cyber risks Identification of factors that could cause an insurance company to experience a loss Identification of Company and Industry Cyber threats Strategic Improvement recommendations 13 Sample Report 14 7
QUESTIONS? 15 For More Information For more information on cyber insurance and Cyber COPE, contact: Russ Cohen Director, Cyber/Privacy Services russ.cohen@chubb.com 215-640-1239 For more information on the Cyber Insurance Risk Assessment, contact: Ron Bushar Global Managing Director, Security Program Services ron.bushar@mandiant.com 703-314-8305 Holly Ridgeway Global Director, Information Security Programs holly.ridgeway@mandiant.com 410-610-8611 16 8
FireEye Cyber Risk Team Want to become a partner that supports these assessments? Create@fireeye.com Web page - https://www.fireeye.com/current-threats/cyber-risk-insurance.html Karen Kukoda 916-458-2030 Global Partner Alliance Director Karen.kukoda@fireeye.com 17 THANK YOU Legal Disclaimer: The content of this document is solely for informational purposes and is not intended as legal advice. It may not be copied or disseminated in any way without the written permission of a member of Chubb. Any product highlights are summaries only; please see the actual policy for terms and conditions. Products and services may not be available in all locations, and remain subject to Chubb s underwriting criteria. Coverage is subject to the language of the policies as actually issued. Chubb is the marketing name used to refer to subsidiaries of Chubb Limited providing insurance and related services. For a list of these subsidiaries, please visit www.chubb.com. Insurance is provided by ACE American Insurance Company and its U.S. based Chubb underwriting company affiliates. Surplus lines insurance is sold only through licensed surplus lines producers. 18 9