Speakers: Changing the Game: An HPR Approach to Cyber CRM007 Michal Gnatek, Senior Vice President, Marsh & McLennan Karen Miller, Sr. Treasury & Risk Manager, FireEye, Inc.
Learning Objectives At the end of this session, you will: Recognize potential underwriting differentiators Why the legacy application-based underwriting approach falls short. What information cybersecurity professionals identify as critical to understanding your risk profile. Consider risk engineering mechanisms to incorporate Cybersecurity is a fluid and dynamic risk to every organization. Leveraging Cyber insurance to drive enterprise risk management. Identify benefits of taking an HPR approach to Cyber Why differentiating your organization will benefit your company.
The HPR Approach Underwriting Engineering Post-Binding Pre-Determined Underwriting Standards Best-of-Breed Protection Thorough Evaluation of COPE, Spread of Risk, Threats Subject to Risk Control Surveys Recommendations Obligation to Implement or Justify Non- Compliance Preferred Terms & Conditions Competitive Pricing vs. Non- HPR Value-Added Services
Current State of Underwriting Growing Market Gross written premiums expected to increase from $2.5B in 2014 to $7.5B in 2020. Capacity remains steady at approximately $500M. New area of opportunity in otherwise soft Property and Casualty markets. Traditional or legacy Cyber insurers threatened by naïve capacity. Opportunity Riddled With Uncertainty Where else (which policies) are insurers exposed to Cyber claims? Uncertainty driving conservative pricing. Aggregation and concentration continue to be a major concern.
Current State of Underwriting It s a Tricky Proposition Lack of sound actuarial data. Adversary adapts to latest protection/security. No commonly accepted standards (e.g., NIST, SANS 20, etc.). Difficult to estimate losses resulting from brand/reputation damage and compensation to customers, suppliers, and other stakeholders. Delay in detection. Insurance as Carrot and Stick Commercial insurance vs. government backstop (e.g., terrorism). Underwriting requirements as a means to drive compliance. Better Cyber governance = lower premium incentive.
The Problem With Applications Snapshot of Point in Time Cyber is fluid and constantly evolving with advancing technologies and adaptive adversaries. 100% of companies breached had up-to-date anti-virus. Compliance security. New focus in otherwise soft Property and Casualty markets. Check the Box Approach Effort to simplify application process has led to drop down choices. Input Needed From Multiple Stakeholders Lack of Consistency Carrier applications. Broker coverage inventories. No applications at all. Lloyd s Common Data Requirements. One Size Fits All Cyber risk profile is often industry-specific. Focus on Technology and Security Need for emphasis on people and processes.
Changing the Game Interviews Maturity Matrix Independent Assessment
Differentiating Risk Mutual Lack of Understanding Insurers lack comprehensive understanding of clients risk profiles. Threats. Assets at risk and respective value (VAR). Safeguards and protections. The Human Element. Resiliency. Clients often do not understand how their program is priced. Painted with industry broad brush? Premium credit for best-of-breed framework?
Differentiating Risk Key Areas of Focus Security culture and awareness. Encryption protocols. Cloud security. Business continuity and resiliency plans, including Cyber Crisis Management. Third party threat assessment. Continuous monitoring. Enterprise risk management approach to Cyber.
Value Add Services Partnerships With Third Party Vendors Loss Prevention Cybersecurity risk assessment. Dark Web data mining and monitoring. Vendor security ratings. Employee education (e.g., phishing). Vulnerability scanning. Claims Breach coach. Incident response, including forensics. Crisis communications. Information Sharing Business Continuity Planning/Resiliency
FireEye at a Glance Public company traded on NASDAQ under symbol FEYE. Headquarter campus Milpitas, CA 3,000 employees worldwide. Products advanced cybersecurity threat protection hardware and software and services, including threat intelligence. FireEye customers over 3,700 across 67 countries, including over 675 of the Forbes Global 2000. FireEye ranked first in the Cybersecurity 500 List of Companies to Watch in 2015.
Cyber COPE Framework Component Number of endpoints Number of networks connections Software versions Data center locations Exposure Political or criminal motivation Types of outsourcing Common software vulnerability Type and amount of sensitive information Reliance on network for operations Compliance and regulatory requirements Organization Policyholder s industry Quality of IT and security related policies % of budget allocation for security Use of industry standards Quality of information governance % of outsourced services Board-level risk appetite Protection Data retention Firewalls Incident response Monitoring Encryption Source: ACE s Global Cyber Facility
Engineering for the Evolving Threat Landscape HRP tools to empower your organization to better protect their key assets and differentiate your risk to cyber underwriters. AM I AT RISK? Red Teaming Penetration Testing Social Engineering Techniques AM I PREPARED? AM I COMPROMISED? I AM BREACHED! Security Program Audit Response Readiness Assessment (RRA) Compromise Assessment (CA) Incident Response IR Retainer Evolving Threat Landscape PREPARE FOR FUTURE EVENTS Cyber Risk for the Enterprise Threat Intelligence
Vulnerability Assessments Cyber COPE Quadrants: Component, Exposures & Protection Identify critical security vulnerabilities in a controlled "real world" compromise scenario. Evolving Threat Landscape Results help an organization improve their existing security posture while reducing the risk of a successful cyber attack. Penetration Testing - exploit known vulnerabilities. Red Teaming - detects unknown vulnerabilities Social Engineering Techniques
Cyber Suitability Indicators Organization is interested in a first look assessment. Evolving Threat Landscape Organization is worried about specific critical assets such as people, processes, or technology. Organization want to know how it s security posture measures up against best practices.
Strategic Security Programs Cyber COPE Quadrants: Organization, Components & Protection Proactively helps organization reduce the risk of an incident and minimize impact in case of a breach. Evolving Threat Landscape Results provide a security program roadmap and recommendations. Security Program Audit Response Readiness Assessment
Cyber Suitability Indicators New security leadership within the organization. Evolving Threat Landscape Recent board-level decision strategic decision to improve security. Early stage organization seeking to improve upon security.
Compromise Assessment Cyber COPE Quadrants: Organization & Exposures Proactively evaluate an organization s network for the presence of an advanced attack group. Evolving Threat Landscape Results should provide: Information on current or past attacker activity. Understanding of the extent and severity of the compromise. Preliminary attack timeline and malware information. Recommendations based on the assessment's findings.
Cyber Suitability Indicators In an industry vertical that has experienced recent breaches. Evolving Threat Landscape In a industry that is know to be targeted by threat actors. An organization that has significant activities in high-risk countries.
Incident Response Cyber COPE Quadrant: Protection Investigate and remediate cybersecurity incidents with scale, speed, and efficiency. Evolving Threat Landscape Incident Response is an essential element of a business continuity and resiliency plan. Start a dialog. Benefits of an incident response retainer: Pre-negotiated contractual terms. Guaranteed rates. On-call incident response. Reduces the impact of a security incident. Reduces business interruption and extra expenses.
Cyber Suitability Indicators Organization has identified a past security breach. Organization is in a known targeted industry. Evolving Threat Landscape Organization is subject to regulatory reporting requirements in the event of a breach.
Prepare For Future Events Cyber COPE Quadrant: Protection & Organization Threat Intelligence: Your security and risk management team receives the intelligence and context needed to help identify, block, and respond to cyber attacks. Evolving Threat Landscape TIER 1 TIER 2 TIER 13&4 An Enterprise Cyber Risk Framework provides a completeness of vision and cultural awareness of information security throughout the organization.
Conclusion Underwriting Current application-driven/point-in-time process does not capture adequate underwriting information. The insurance market is beginning to partner with network security companies to better understand and evaluate portfolio of risk. Engineering Cyber Risk Management must be ongoing and continuous process. Growing need to leverage third party Network Security tools and services to assess threats throughout policy term. Post-Binding Current market conditions continue to neutralize positive pricing and coverage impact of best-of-breed policies, protections. Underwriters reluctant to impose required standards as subjectivity for coverage (e.g., Columbia Casualty Co. v. Cottage Health System).
Questions?
Thank You