15 July 2017 Cyber Attack: Is Your Business at Risk? Stanley Wong Regional Head of Financial Lines, Asia Pacific
Agenda Some common misconceptions by SMEs around cyber protection Cyber Claims and Industry Trends Cyber Targets by Organisation Size Cyber Incidents by Country Cyber Claims Overview Where the Money is Spent Cyber Insurance Coverage Summary Incident Response Solution/Service Claims Case Studies 8 Truths about Cyber Security 2
23 July 2017 3
The Petya Ransomware Attack 4
Some common misconceptions by SMEs around cyber protection My company is not exposed to cyber-attacks Unless you don t use any computer, mobile device etc! IT companies are more vulnerable to attacks I will reveal the truth in the next slide! This is a big company problem I will reveal the truth in the next slide! 5
Some common misconceptions by SMEs around cyber protection (continued) Our IT department has cyber risks under control Hackers are now releasing over 100,000 new ransomware every day. No security software vendor can keep up easily. We outsource Liability can t be outsourced! I don t know that such protection is available / I don t know about the coverage I will tell you more in the following slides! I don t have the budget Cyber insurance is very expensive Not really! 6
Cyber Claims and Industry Trends (10 years of data) Triggers and Industry Trends (as of 10/2015) Hack 29% Privacy Policy 8% Rogue Employee 14% Human Error 15% Software Error 3% Other 8% Lost/Stolen Devices 18% Paper 5% Laptops 13% Hard Drives 3% Other 2% Source: Chubb s global claims data. Industry Breakout: Healthcare 30% Technology 11% Professional Services 14% Retail 9% Financial Institutions 7% Targeted Attacks for PI: Lost/Stolen Devices - 2013 17% - 2014 12% - 2015 11% Hack - 2013 29% - 2014 27% - 2015 43% Rogue Employee - 2013 14% - 2014 16% - 2015 11% 7
Total Number of Cyber Events by Industry Hard Drive 1% Source: Journal of Cybersecurity Volume 2, Dec 2016 8
Loss by Industry Hard Drive 1% Source: Journal of Cybersecurity Volume 2, Dec 2016 9
Cyber Targets by Organisation Size 2011 vs 2015 2011 2015 50% 35% 43% 32% 22% 18% Large enterprises 2,500+ Medium 251 to 2,500 Small 1 to 250 Large enterprises 2,500+ Medium 251 to 2,500 Small 1 to 250 Source: Internet Security Threat Report 2016 Volume 21 10
Cyber Incidents by Country: First Three Months of 2017 Analysis by Country Top 10 Incidents by Country Top 10 United States United Kingdom Canada India Australia Indonesia China France Taiwan Russian Federation 51 32 23 16 16 15 8 8 7 757 North America accounted for 63% of breaches Source: Risk Based Security s 2017 First Quarter Data Breach Quickview Report 11
Where The Money Is Spent? Source: Ponemon 2015 Cost of a Data Breach Study Australia pg 14 12
Cyber Claims Overview (10 years) Average Cost of First Party Expenses (as of 10/2015) $200,000 $180,000 $160,000 $140,000 $120,000 $100,000 $80,000 $60,000 $40,000 $20,000 $- $51,600 $185,600 $81,600 Legal Fees Forensics Notification & Call Center $59,150 Credit Monitoring $44,500 Crisis Management Every Breach Response is Unique Cost Range of Each Service - Legal Fees: Under $5,000 up to about $50,000 - Forensics: About $10,000 to Seven Figures - Notification & Call Center: up to $80,000 - Credit Monitoring: Payment per Enrollee or Restoration Service - Minimal Crisis Management Costs Source: Chubb s global claims data 13
Cyber Insurance - Coverage Summary Third party liability coverage: Privacy Liability Network Security Liability Cyber Policy First party loss coverage: Cyber Extortion Business Interruption Expenses coverage: Incident Response Costs 14
Incident Response Solution/Service Internal Forensics IT Forensics Forensic Accountancy Cyber Extortion Legal and Compliance Incident Response Manager Public Relations Notification Specialists Identity Protection Public Notification Call Centre Regulatory Notification 15
Claims Case Study 1 A staff member at an insurance broker opened a file from their Facebook page that contained malware (Crypto locker). Over the weekend the malware started to encrypt all the brokers data so that it was unreadable to staff. The broker also received a ransom demand that if paid would provide access to a key that decrypted the data. Federal police were called and additional forensics assistance. The network and operations were impaired for over 10 days (Note: the IT function was outsourced) Call Incident Response Manager Recovery Expenses. Lease servers Network security lawyers Incident Response Expenses Forensics Team Public relations Legal Business Income Loss payroll expenses Cyber Extortion Payments demanded to mitigate the extortion. Privacy Liability Defence Costs Privacy Liability Impaired Access Regulatory Fines First -party $200k Third-party related 16
Claims Case Study 2 The data centre which hosted an online retail company s website became the target of a distributed denial of service attack. The attack, which utilised hacked internet of things devices, flooded the data centre s network with so much traffic that their network failed. This made the online retail company s website inaccessible for a period of six hours before backup systems were able to restore 100% functionality. Call Incident Response Manager Recovery Expenses. Increased cost of working (sub contract with external provider) Incident Response Expenses Forensics Team Public relations Legal Business Income Loss Lost sales and revenue from website downtime First -party $216k 17
8 Truths about Cyber Security Impact of reputational damage What SMEs should do when they experience cyber-attacks Cyber ransom: After you ve paid, you ll be more vulnerable to future attacks Insurance is part of risk management measures to keep businesses on stable financial footing if a security event takes place 18
8 Truths about Cyber Security (continued) Cyber insurance is not just financial loss protection, but a comprehensive package with different specialist advice available via an Incident Response Team Ransom decisions can be a tough one. FBI warns that paying ransom encourages this kind of criminal activity. In certain events some jurisdictions treat this as a criminal activity. Don t think that your organisation is safe from cyberattacks. It s not a matter of if, but when. Importance of risk mitigation measures to minimise the impact of a cyber-attack on your company s operations 19
Chubb. Insured.