Quelle: Verw endung unt er der Lizenz von Shut t ers t ock.com A reinsurer’s perspective on cyber threats, cyber resilience, insurance and data taxonomy Mark Coss Agenda 1. Cyber Security Taxonomy: From threats to an insured loss 2. Cyber Attack Life Cycle – how does a targeted attack look like? 3. Information Security & Systems Control Risk Management framework 4. Cyber Insurance- available risk transfer and residual business risk 5. Data Taxonomy-what data needs to be fed into a industry database and recorded A reinsurer’s perspective on cyber-Mark Coss 13-Oct-16 1 From threats to an insured loss Cyber Security Taxonomy From Threats to an insured Loss Assets Assets Source: http://cambridgeriskframework.com/getdocument/39 Workstations OS, Applications, Browsers Servers Network devices Telephone Cloud provider Persons Processes Information … A reinsurer’s perspective on cyber-Mark Coss 13-Oct-16 Cyber Security Taxonomy From Threats to an insured Loss Cyber Vulnerabilities Vulnera bilities Assets Buffer overflows SQL injection Cross-Site-Scripting (XSS) Privilege escalation Unencrypted data Untrained personnel Misconfiguration Inadequate policies … Source: https://www.riskbasedsecurity.com/2015/12/our-new-year-vulnerability-trends-prediction// A reinsurer’s perspective on cyber-Mark Coss 13-Oct-16 Cyber Security Taxonomy From threats to Insured Loss 2015 World Map of Malware & Threats by Sophos Great Britain Cyber Threats Denial of Service (DoS) Scandinavia Turkey Phishing Russia Canada Social Engineering Dach Threats USA Vulnerab Vulnerabilities ilities Japan China Italy Hong Kong Saudi Arabia India Philippines Columbia Malaysia Assets Brazil Assets Australia Singapore Ransomware Virus/Trojan/Worms (Malware) Espionage Botnets South Africa Zero-Day Exploits Identity theft Source: © Sophos GmbH Banking Trojan Download-Malware Remote Access Trojan (RAT) Worms Bootkits Ransomware Password Stealers Spambots Viruses Others A reinsurer’s perspective on cyber-Mark Coss … 13-Oct-16 Cyber Security Taxonomy From Threats to an insured Loss Source: https://www.europol.europa.eu/content/eu-serious-and-organised-crime-threat-assessment-socta Threats Vulnera bilities Cybercrime Cyberkid Cyberwar and Cyberspionage Cyber-Terrorist Hacktivist Money Fun, curiosity Strategic Ideologie/Religion Politics, Ethic Individual, by chance or directly aimed By chance, political reasons Individual, collateral ideological, antiwestern, collateral, media-effected Ideological and political targets Organisation Strongly pronounced Partially Perfect Regional Structured Competence High Low-high Very high Low-high (external help) Middle-high ThreatMatrix Assets Motivation Actors Choice targets of A reinsurer’s perspective on cyber-Mark Coss 13-Oct-16 Cyber Security Taxonomy From Threats to an insured Loss Threats Vulnera bilities Assets Actors A reinsurer’s perspective on cyber-Mark Coss 13-Oct-16 2 Cyber Attack Life Cycle Myth- Each cyber attack is different hence prevention is impossible • • • • Old attacks (successful) used repeatedly Re-use of code amongst criminals Cyber attack process is exactly the same Recent examples A reinsurer’s perspective on cyber-Mark Coss 13-Oct-16 Cyber Attack Process Source: Cyber kill chain-Intelligence driven cyber defense-Lockheed Martin A reinsurer’s perspective on cyber-Mark Coss 13-Oct-16 Cyber Attack How does a targeted attack look like? A reinsurer’s perspective on cyber-Mark Coss Espionage Recon Lure 13-Oct-16 Cyber Attack How does a targeted attack look like? A reinsurer’s perspective on cyber-Mark Coss Espionage Recon Lure Intrusion Redirect Exploit 13-Oct-16 Cyber Attack How does a targeted attack look like? A reinsurer’s perspective on cyber-Mark Coss Espionage Recon Lure Intrusion Redirect Exploit Evolution Dropper Call Home 13-Oct-16 Cyber Attack How does a targeted attack look like? A reinsurer’s perspective on cyber-Mark Coss Espionage Recon Lure Intrusion Redirect Exploit Evolution Dropper Call Home 13-Oct-16 Cyber Attack How does a targeted attack look like? A reinsurer’s perspective on cyber-Mark Coss Espionage Recon Lure Intrusion Redirect Exploit Evolution Dropper Call Home Attack Data Theft Denial-of-Service Manipulate data 13-Oct-16 Cyber Attack How does a targeted attack look like? A reinsurer’s perspective on cyber-Mark Coss Espionage Recon Lure Intrusion Redirect Exploit Evolution Dropper Call Home Attack Data Theft Denial-of-Service Manipulate data 13-Oct-16 Cyber Attacks on the world of finance Bangladesh, March 2016: Central Bank Theft of USD$101 Million A reinsurer’s perspective on cyber-Mark Coss 13-Oct-16 3 Information Security Risk Management Accept- Cyber Attacks are a real threat • • • • Same risk irrespective of business size Increasing Board recognition of cybersecurity & privacy due to high profile incidents e.g Target Increasing focus from regulators Cybersecurity incidents –YOY 34% growth & attacks average 200 days before discovery WHY? • • Cultural : Acceptance no system is secure and consumer privacy concerns Technological: Cloud security and IoT Source: 2015 TrustWave global security report: State of cybersecurity ISACA report 2015 Ponemon/IBM data breach study 2015 A reinsurer’s perspective on cyber-Mark Coss 13-Oct-16 Cyber Risk Landscape • • • • • • • Australia ranked 3rd for malicious URL’s/phishing attacks & 4th globally for botnet infections (Source: Ponemon 2015) Average loss incurred by security breaches <US$3mio but figure is for direct costs such as forensics, PR &legal. Third party liability and damages would increase losses four fold. Time for businesses to discover a sophisticated cyber attack is between 200 and 280 days 38% of mobile users have experienced cybercrime (Source: Symantec 2014) In 2013, cyber attacks affected 5 million Australians at an estimated cost of $1.06 billion (Source: Symantec 2013) 71% of incidents go undetected (Source: Trustwave 2014) 60% of SME’s close their doors <6 months of a cyber attack (Source Experian, 2015) A reinsurer’s perspective on cyber-Mark Coss 13-Oct-16 Cyber Security Framework •Governance & Compliance •User access control •Awareness & Training •Data Security •Responsibilities •Processes and Procedures •Risk Management •Encryption •Procurement •Patch & change management •Security Incident Event Monitoring (SIEM) •Anti-Virus •Working with external partners Respond & Recover •Risk Assessment Detect •Asset management Protect Identify NIST- a comprehensive cyber security framework used by ASIC Report 429 •Incident Management •Emergency Management •Backup •Disaster Recovery •Business Continuity Management •Recruitment A reinsurer’s perspective on cyber-Mark Coss 13-Oct-16 Cyber Security Framework •Governance & Compliance •Responsibilities •User access control •Awareness & Training •Data Security •Security Incident Event Monitoring (SIEM) •Anti-Virus •Information protection processes and procedures •Risk Management •Protection technologies •Procurement •Encryption •Working with external partners •Patch & change management Respond & Recover •Risk Assessment Detect •Asset Management Protect Identify NIST-a comprehensive cyber security framework used by ASIC Report 429 •Incident Management •Emergency Management •Backup •Disaster Recovery •Business Continuity Management •Recruitment A reinsurer’s perspective on cyber-Mark Coss 13-Oct-16 Cyber Security Framework •Governance & Compliance •Responsibilities •User access control •Awareness & Training •Data Security •Information protection processes and procedures •Detection processes •Security Incident Event Monitoring (SIEM) & anomalies •Security continuous monitoring •Risk Management •Protection technologies •Procurement •Encryption •Working with external partners •Patch & change management Respond & Recover •Risk Assessment Detect •Asset Management Protect Identify NIST-a comprehensive cyber security framework used by ASIC Report 429 •Incident Management •Emergency Management •Backup •Disaster Recovery •Business Continuity Management •Recruitment A reinsurer’s perspective on cyber-Mark Coss 13-Oct-16 Cyber Security Framework •Governance & Compliance •Responsibilities •User access control •Awareness & Training •Data Security •Detection processes •Security Incident Event Monitoring (SIEM) & anomalies •Security continuous monitoring •Information protection processes and procedures •Risk Management •Protection technologies •Procurement •Encryption •Working with external partners •Patch & change management •Recruitment A reinsurer’s perspective on cyber-Mark Coss Respond & Recover •Risk Assessment Detect •Asset management Protect Identify NIST- a comprehensive cyber security framework used by ASIC Report 429 •Incident Management •Emergency Management •Backup •Disaster Recovery (DRP) •Business Continuity Management (BCP) 13-Oct-16 4 Cyber Insurance A reinsurer’s perspective on cyber-Mark Coss 13-Oct-16 Cyber Insurance role is secondary to cyber resilience Risks Transferred & Service Benefits • • • First Party-reputational expenses, customer support for customer notification, advertising &credit card monitoring, data recovery, business interruption, investigation and legal costs, cyber extortion, clean-up of leaked data Third Party- technology professional services, multimedia liability, security and privacy liability, personal data liability, corporate data liability, civil & some criminal penalties, outsourcing risk Benefits- access to expert panel to manage cyber event and mitigate losses Business and Residual Risk • • • • • • • • Loss of or damage to reputation/trust/brand Betterment costs to address vulnerabilities Physical Hardware loss/damage Loss of customers and jobs Loss in competitive advantage and markets CBI from service interruption of critical infrastructure Under & uninsured losses (+policy exclusions) Specific Intellectual Property e.g Patents A reinsurer’s perspective on cyber-Mark Coss 13-Oct-16 Cyber Claims Data Breaches and insured costs A reinsurer’s perspective on cyber-Mark Coss 13-Oct-16 Insurance Risk Transfer Solutions for SME’s Standalone cyber product to be main source of liability cover as exclusions in traditional policies become more commonplace Cyber insurance policy 1st party Cyber Expenses 3rd party Cyber Liability IT Vandalism Crisis Consulting Forensics Electronic Theft Privacy Disclosure/Liability Internet Communication and Media Liability Security Failure Intellectual Property Notification Costs Business Interruption Credit Monitoring Legal Counsel Network Extortion Internal Network Interruption Access Failure Administrative Fines A reinsurer’s perspective on cyber-Mark Coss 13-Oct-16 Munich Re modular wording Overview of coverage elements I. Loss or Theft of Data Coverage (1st party) V. Payment Card Industry Data Security Standard (PCI-DSS) Coverage (1st party) II. Confidentiality Breach Liability Coverage (3rd party) VI. Business Interruption Coverage (1st party) III. Privacy Breach Protection Coverage (1st party) VII. Cyber Extortion Coverage (1st party) A reinsurer’s perspective on cyber-Mark Coss IV. Privacy Breach Liability Coverage (3rd party) VIII. Network Security Liability Coverage (3rd party) IX. Reputational Risks Coverage (1st party) 13-Oct-16 PRICING CYBER RISK PROBLEMATIC AT PRESENT • Key problem is scarcity of data. While there are markets for assessments regarding loss frequencies due to cyber related threats this is not the case for loss severities. • The same holds for cyber related threats which are well covered by various parties (commercial as well as non-commercial). However, to turn knowledge about threats into the ability to quantify loss potential, historic threats and losses have to be matched systematically. As of today, this kind of data appears to be not available. • external pricing models unavailable, no “buy” option -(RMS, AIR, Symantec, Cambridge…) • MOTIVATION FOR DATA BASE PROJECT (NAIC for industry codes, Veris for cyber losses in US) • Presently no mandatory requirements by ISA/APRA and unable to identify cyber experience in NCPD • Presently mostly pragmatic methods used for pricing single cyber risk (i.e ROL, benchmarking) • Mainly non-experienced based pricing methods used globally so far • GIVEN VERY DYNAMIC TRENDS IN CYBER LOSSES AND RISK OF CHANGE PRICING PROFITABILITY IS NOT YET ENSURED A reinsurer’s perspective on cyber-Mark Coss 13-Oct-16 Threat modelling frameworks There are a number of threat modelling frameworks, designed to help organisations understand cybersecurity risks in a formal, standardized way Frameworks: • STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) • DREAD (Damage, Reproducibility, Exploitability, Affected users, Discoverability) • OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation) • CVSS (Common Vulnerability Scoring System) • PASTA (Process for Attack Simulation & Threat Analysis) A reinsurer’s perspective on cyber-Mark Coss 13-Oct-16 Veris Cyber data framework A reinsurer’s perspective on cyber-Mark Coss 13-Oct-16 APRA NCPD Existing industry data inputs not relevant to cyber incidents A reinsurer’s perspective on cyber-Mark Coss 13-Oct-16 QUESTIONS & ANSWERS A reinsurer’s perspective on cyber-Mark Coss 13-Oct-16 Just follow-up with us @ your convenience Mark Coss Cyber Threats and Loss data for Accounting Services Sector A reinsurer’s perspective on cyber-Mark Coss 13-Oct-16 Cyber threats and loss data for Accounting Services Sector (Source : Hiscox & Advisen) A reinsurer’s perspective on cyber-Mark Coss 13-Oct-16 Cyber Threats and Loss data for Accounting Services Sector (Source: Hiscox & Advisen) A reinsurer’s perspective on cyber-Mark Coss 13-Oct-16 Cyber Threats and Loss data for Accounting Services Sector (Source: Hiscox & Advisen) A reinsurer’s perspective on cyber-Mark Coss 13-Oct-16 Cyber Threats and Loss data for Accounting Services Sector (Source: Hiscox & Advisen) A reinsurer’s perspective on cyber-Mark Coss 13-Oct-16 Cyber Threat and Loss data for Accounting Services Sector (Source: Advisen) A reinsurer’s perspective on cyber-Mark Coss 13-Oct-16
© Copyright 2026 Paperzz