Using Insurance to Mitigate Cybercrime Risk - Cap Gemini Report
While technological advancements, evolving computer data systems, and internet access offer significant benefits to businesses and their customers, a major challenge that comes with the increased use of technology is an increase in the risk of cybercrime attack. Cybercrime has significant financial and non-financial implications for businesses.
To prevent cyber crime incidences, most companies employ cyber-security measures which include a combination of technology and security procedures. However, since cyber attackers are continuously discovering new ways to exploit vulnerabilities, cyber security alone cannot prevent all potential attacks.
This paper looks at how cybercrime insurance can protect companies from the costs of cybercrime. We explore the challenges for insurance companies offering cybercrime policies, analyze the required investments, and provide recommendations.
Financial Management of Cyber Risks
An Implementation Framework for CFOs
Business is currently on the front lines of a raging cyber war that is costing trillions of dollars and endangering our national security.
Effective, low-cost mechanisms are already in place to shield against many elements of the cyber threat. But too often executive leaders wait until they are compromised to put a reactive plan into action, damaging their company’s reputation and incurring additional cost.
Greater understanding and guidance are needed to help businesses bolster information security and reduce vulnerability to cyber attacks.
That is why the Internet Security Alliance (ISA) and the American National Standards Institute (ANSI) have developed this free, easy-to-use action guide, which brings together the independent research and the collective wisdom of more than sixty experts from industry, academia, and government.
All of these experts agree: the single biggest threat to cybersecurity is misunderstanding.
Most enterprises today categorize information security as a technical or operational issue to be handled by the information technology (IT) department.
This misunderstanding is fed by outdated corporate structures wherein the various silos within organizations do not feel responsible to secure their own data. Instead, this critical responsibility is handed over to IT, a department that, in most organizations, is strapped for resources and budget authority. Furthermore, the deferring of cyber responsibility inhibits critical analysis and communication about security issues, which in turn hampers the implementation of effective security strategies.
In reality, cybersecurity is an enterprise-wide risk management issue
that needs to be addressed from a strategic, cross-departmental, and economic perspective.
The chief financial officer (CFO), as opposed to the chief information officer (CIO) or the chief security officer (CSO), is the most logical person to lead this effort.
This publication was created to provide a practical and easy-to-understand framework for executives to assess and manage the financial risks generated by modern information systems:
The Report can be found at: http://webstore.ansi.org/cybersecurity.aspx
Privacy Risk Management
The personal data have to be distinguished from other information within information systems.
They can represent a value to the organization that processes them. But their processing causes alsode factoa significant liability due to the risks brought upon on the privacy of data subjects.
They have value for data subjects as well. They can be useful for administrative or commercial purpose, or may even contribute to their image. But security breaches in data protection can also cause physical injury, material and moral damage.
Finally they have a value for others. This includes a market value if they are exploited for commercial purposes (spam, targeted advertising…), or a nuisance value in the case of unfair actions (discrimination, refusal of access to benefits, dismissal…) or malicious actions (identity theft, defamation, threats, blackmail, burglary, assault…).
Since a controller processes personal data, he has to comply with [Act-I&L].
First, he has to ensure that the purposes of the processing of personal data are defined, that the collected data are relevant to these purposes, and that they are deleted at the end of a determined period.
He also has to ensure that data subjects are informed and can exercise their rights (opposition, access, rectification and deletion). Whether these rights are taken into account at the level of the organization and whether the exercise of these rights is effective, have to be assessed.
In addition, he has to ensure the security of the data he processes. [Act-I&L] states in Article 34 the obligation for any controller to "take all useful precautions, with regard to the nature of the data and the risks of the processing, to preserve the security of the data." It is therefore necessary to identify the risks related to the processing of personal data before determining the appropriate means to reduce them.
Finally, he has to meet specific requirements that apply to its processing and data processed, especially when it comes to sensitive data, when personal data is transferred outside the European Union, etc.
To this end, it is appropriate to adopt a global vision, that goes beyond the framework of the organization's activities and the purposes determined for its processing, and allows to study impacts on individuals concerned by those data.
The Report can be found at:http://www.cnil.fr/fileadmin/documents/en/CNIL-ManagingPrivacyRisks-Methodology.pdf
Guide To Cyber Risks Management
Sponsored by Chartis
It’s a Cliché to say the internet is everywhere – but it’s true. The numbers are simply staggering.
The Social Revolution on YouTube claims there are 9 billion connected devices worldwide at the moment and that will increase to 24 billion in the next eight years. The European Union claims that in 1995 just 1% of Europeans had access to a computer at home – by 2011, 73% had access to the internet at home.
And the numbers are only going to grow. Delivery may change but access and connectivity are not going away.
Businesses rely on their systems to operate internally and to communicate with customers, all day every day.
So it is no wonder that cyber risks have moved up the agenda. The European Commission estimates that more than 1 million people worldwide are victims of cyber crime every day, while PwC reports global cyber security spending was expected to reach $60bn (£37bn) in 2011 and is forecast to grow at 10% every year during the next three to ﬁve years.
Its report claims the USA accounts for more than half of all security deals globally. This is no surprise, with the USA remaining a litigious society where privacy is closely guarded. However, new regulations being developed in the EU could soon enforce more stringent requirements across Europe too. Suddenly, cyber liability is becoming a boardroom issue. Directors have a responsibility to address the risk or face the very real threat of angry shareholders and personal claims against them for dereliction of duties. Cyber insurance has been available for a number of years but it too is evolving to meet the new challenges. More capacity is coming into the market and cover is adapting to match the demands of customers who need to shift cyber risks off their balance sheets.
Research by Chartis suggests 25% of ﬁrms purchase cover in the USA, where laws, litigation and knowledge are all conducive to high demand. In Europe the number would be less than 5%, according to Chartis, hence the scope for growth is huge. Many of the companies asked said they could aff ord to self-insure – brokers and insurers are seeing this attitude change as the regulatory requirements toughen up and companies realise the potential cost of a cyber attack.
According to the ﬁfth annual US Cost of a Data Breach Study by the Ponemon Institute, the cost of an event per record is rising at 9.2% every year in the USA and has already breached the $200 per customer record levels. Ponemon also found the average total per-incident costs in 2009 were $6.75m, up from $6.65m in 2008. Consider that Sony had 77m customers affected by its data breach in April 2011 and the ﬁgures could be enormous.
The Report can be found at:
Insurability of Cyber Risk: An Empirical Analysis
Christian Biener, Martin Eling and Jan Hendrik Wirfs
This paper discusses the adequacy of insurance for managing cyber risk. To this end, we extract 994 cases of cyber losses from an operational risk database and analyze their statistical properties. Based on the empirical results and recent literature, we investigate the insurability of cyber risk by systematically reviewing the set of criteria introduced by Berliner (1982). Our findings emphasize the distinct characteristics of cyber risks compared to other operational risks and bring to light significant problems resulting from highly interrelated losses, lack of data, and severe information asymmetries. These problems hinder the development of a sustainable cyber insurance market. We finish by discussing how cyber risk exposure may be better managed and make several suggestions for future research.
What Might "Forward Thinking" Risk Managers Do?
Cyber Risk and Insurance
Managing cyber risks with insurance.
Key factors to consider when evaluating how cyber insurance can enhance your security program
Managing cyber risks to sensitive information assets and systems is a top priority for most companies. That’s because the scope, severity, and costs of cyber-attacks are increasing, whether these attacks seek to damage data and systems or steal sensitive information such as trade secrets or personal data. Many are finding that cyber insurance can be an effective tool to help manage these risks.
Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age
With the increasing cost and volume of data breaches, cyber security is quickly moving from being considered by business leaders as a purely technical issue to a larger business risk. This shift has spurred increased interest in cyber insurance to mitigate the cost of these issues. In a new study sponsored by Experian® Data Breach Resolution, Ponemon Institute surveyed risk management professionals across multiple sectors that have considered or adopted cyber insurance. Based on responses, many understand that security is a clear and present risk. Indeed a majority of companies now rank cyber security risks as greater than natural disasters and other major business risks.
European Union Cyber Exposures
The Risk Manager’s Role in Mitigating Cyberrisk - by Kevin P. Kalinich
With cyberrisks becoming more prevalent, organizations in every industry and faced with the increased possibility of legal exposure, reputational harm and business interruption that can wreak havoc on a company’s bottom line. As a result of the potential losses, risk managers must become more educated on matters relating to the financial impact of cyberexposures and assist corporate directors and officers in satisfying fiduciary duties to protect their company’s assets. After identifying, qualifying and quantifying their cyberrisks, risk managers should consider the following steps to protect their organizations:
1. Implement a Cybermitigation Policy
While proactive measures to mitigate risk can be costly and time consuming, they are far less demanding than the consequences of a serious breach. Moreover, having a robust, well-documented program to monitor cyberrisks may provide favorable evidence of the company’s efforts, thus reducing liability should an incident occur.
A cybermitigation program should start with the following:
- Implement IT security access, use and protection policies and procedures. Note that insurance underwriters will rely on third-party security assessments when conducting due diligence to quote a premium and coverage for cyberinsurance
- Assist legal with contractual allocation of liability
- Train and monitor employees, subcontractors, third parties and others regarding such best practices. Updates to written policies and procedures with ongoing training assists in creating a culture of best practices.
- Model the range of potential frequency and severity of losses from cyberincidents for your unique industry and entity specific circumstances
- Determine the entity’s risk appetite to retain, mitigate and transfer cyberexposures compared to the entity’s overall enterprise risk management
Capable risk management advice, combined with legal and IT security, can not only prevent or limit information security breaches, but can mitigate the most adverse consequences of such breaches.
In light of the increased significance of cybersecurity matters, it is essential that corporations develop a comprehensive program. A team consisting of IT, legal, risk management, CIO, security, human resources, product development, sales, marketing and other pertinent personnel should be involved in developing and executing the program.
Risk managers should advise their IT security department to audit and regularly review reliance on different forms of technology (i.e., computers, smartphones, tablets, USBs) and ensure that various uses of such technology (i.e., work, social media, personal use) are appropriately regulated in company IT and/or social media policies and guidelines.
2. Evaluate Third-Party Providers
Vendors, suppliers, consultants, IT providers and a range of other third parties have occasion to access various types of confidential corporate information. A risk assessment should be conducted for each third-party provider and, depending on the type of data being shared, additional steps should be considered to prevent security breaches. Risk managers should evaluate a range of questions, including:
- How does the provider erect security walls between data from different customers?
- Who will have access to the information and is encryption possible?
- Will customers be notified that their information will be stored in a cloud?
- Does the cloud provider have its own adequate insurance coverage (possibly requesting that your organization be named as an “additional insured”)?
- Is some information simply too sensitive to turn over to a third party?
Third parties should, at a minimum, be expected to accept inclusion of language in which they warrant that they are in compliance with applicable laws relating to information privacy and security. Contracts should contain indemnification provisions that commit the third-party providers to indemnify you should a security or privacy breach occur.
Risk managers may discover that their organization is unaware of which vendors and suppliers have access to your confidential data, such as personally-identifiable information on customers and employees, or proprietary information about the company’s products. The first step in implementing a system to manage this exposure is to identify the various suppliers and vendors and to determine precisely what type of information each third-party entity is being sent (or otherwise accessing). A robust audit is essential. These audits should examine not only the outsourced IT service providers, such as storage providers, but also any other type of third-party organization or individual who might have access to corporate data.
Risk management should consider the benefits of implementing a data breach management policy to address and outline internal corporate prevention, detection and incident response processes in response to a security breach. It could help in defending an allegation that the company failed to take reasonable care in handling a data security breach.
3. Review Possible Coverage Under Existing Insurance Policies
While some categories of losses might be covered under standard policies, many gaps often exist. In the United States, insurers are filing declaratory judgment actions against their insureds to deny coverage for cyberexposures under property, general liability, professional liability and crime policies. Some courts are finding that these traditional policies, such as property policies, do not cover the types of intangible harm that results from data breaches. Coverage may also be denied if intentional acts are excluded from coverage.
Property, general liability, crime/bond, D&O, professional liability, and kidnap and ransom insurance may apply in the event of a cyberincident. Many breached entities and other responsible parties have been aided tremendously by their insurance policies. Business-to-business firms (predominantly technology centric) that participate in the personally identifiable information (PII) chain can blend cybercoverage into a commercial errors and omissions policy to contemplate a large percentage of the risks, but such firms continue to struggle to ensure insurability where their technology and information asset exposures evolve on a regular basis. Insurers are also denying coverage under professional liability/errors and omissions and D&O policies, with mixed outcomes in the courts.
Risk managers should work with their insurance broker to analyze such policies and determine any potential gaps in existing coverage as cyberevents have the ability to impact numerous lines of insurance coverage.
4. Consider Specific Cyberinsurance to Fill Any Obvious Gaps
Insurance specifically designed to cover the unique exposures of data privacy and security can act as a backstop to protect a business from the financial statement harm resulting from a breach. Coverage for cyberlosses generally fit into two categories, depending on the nature of the event:
- First-party financial loss: The party that experienced the cyberevent suffers financial losses or costs associated with the event. The most commonly cited examples include costs associated with data breach response and lost income attributable to network/IT interruption.
- Third-party financial loss: A party other than that which experienced the cyberevent suffers financial losses or costs associated with the event. This could be a customer, business partner, employee or unrelated third party, such as lost personally identifiable information or supply chain disruption.
Available policies can cover privacy breach notification and crisis management, regulatory defense and civil penalties, and liability resulting from a breach. Limits of more than $300 million are available, with premiums ranging from $5,000 to $50,000 per $1 million of coverage, depending upon the retention, losses, revenue, scope of business and risk mitigation employed.
The application process is becoming streamlined whereby multiple carriers will quote pricing, terms and conditions based on one common application. However, it is well advised to develop a comprehensive list of specific priority coverage grants and dictate such requests to the insurance carriers in the form of a submission priority coverage matrix. Policy wording is paramount to successful coverage.
Some policies include first-party network business interruption – to cover loss of revenue during network interruption; information asset – to cover restoration costs or loss of value associated with electronic data; cyberextortion – to pay an extortion threat if doing so successfully wards off a cyberevent; and contingent business interruption – to cover loss of revenue during the downtime of a critical outsourced IT provider (i.e., cloud services).
Given the exposures and constantly evolving risks associated with cyberevents that could cripple companies, industries and critical infrastructures, prudent insureds should review their insurance program with their insurance broker and seek out professionals who understand the cyberinsurance market before those catastrophic events take place. Organizations must understand the insurance coverage they have and just as importantly, understand what cyberinsurance coverage they deliberately decided not to purchase. A good risk manager can help its organization understand the options and alternatives for cyberinsurance thereby giving the insured the proper information to make an educated decision as to what type and how much insurance will be in place for the next big cyberattack.
Cyber Security, Cyber Governance and Cyber Insurance
Christine Marciano and Paul Ferrillo, Counsel at Weil, Gotshal & Manges LLP in New York City write a comprehensive report on. “Responding to Today’s Data Breach Environment: What Every Director (or any company for that matter) Really Needs to Know about Cyber Insurance.”
The report offers a deep dive on cyber insurance and discusses:
- If your company experienced a data breach today, would your board be ready?
- Reputational Loss after a Data Breach
- Incorporating Cyber Insurance Into Your Data Breach Incident Response Plan Today
- Evaluating Cyber Insurance Policies
- The Immediate Advantages of Cyber Insurance
- How Much Cyber Insurance Coverage Should Companies Buy?
- Insuring Your Board and Company’s Cyber Risk
- Evaluating and Knowing Your Cyber Insurance Carrier’s Claims Paying and Handling Reputation is Crucial
- Intellectual Property Exclusion in Cyber Insurance Policies
- Cyber Terrorism
- Five Things Every Board Needs to Know When Buying Cyber Insurance
Information Security & Cyber Liability Risk Management:
The Third Annual Survey on the Current State of and Trends in Information Security and Cyber Liability Risk Management - Sponsored by Zurich
Historians may look at the year 2013 as a sort of cyber tipping-point - the point at which businesses and governments finally realized the severity of the threats they were facing. Revelations about the NSA's cyber espionage program, evidence of theft of business intellectual property by state-sponsored hackers and attacks on the U.S. financial system by the Syrian Electronic Army are a few of the many cyber events that made headlines.
Exposures such as operational disruptions due to denial of service attacks, lost or stolen data, violation of privacy laws and intellectual property infringement have long been a concern of larger companies. In 2013, smaller businesses began to increasingly realize that they were also at risk. As a result, information security risks became a risk management focus of more organizations and insurance cemented itself as a part of the cyber risk management strategy for a majority of organizations surveyed by Advisen.
The Report Can be found at:
The Changing Role of
the Risk Manager
Sponsored by ACE
An ever-evolving risk landscape combined with a heightened emphasis on the strategic importance of risk management mean that the roles and responsibilities of many risk managers are changing at a rapid pace. In many organizations, risk managers are becoming more visible and more engaged in strategic decision making, but for many risk managers that means learning to navigate unfamiliar terrain as their influence and responsibilities expand.
The Report can be found at: https://www.advisen.com/pdf_files/risk-manager-changing-role-ace-2013-09.pdf
Cyber-crime is greatest global threat to organizations’ survival today
With information security functions not fully meeting the needs in 83% of organizations, 93% of companies globally are maintaining or increasing their investment in cyber-security to combat the ever increasing threat from cyber-attacks, according to a new survey released by EY today.
- Information security function fully meets needs in only 17% of organizations
- Ninety-three per cent of companies maintained or increased security budget over last 12 months – yet budget constraints still biggest obstacle to delivering value
- Organizations must be forward-looking and prepare for emerging technologies
- Talent shortage hindering fight against cyber-attacks – especially in Europe
Under cyber-attack, EY's 16th annual Global Information Security Survey 2013 tracks the level of awareness and action by companies in response to cyber threats and canvases the opinion of over 1,900 senior executives globally. This year’s results show that as companies continue to invest heavily to protect themselves against cyber-attacks, the number of security breaches is on the rise and it is no longer of question of if, but when, a company will be the target of an attack.
Thirty-one percent of respondents report the number of security incidents within their organization has increased by at least 5% over the last 12 months. Many have realized the extent and depth of the threat posed to them; resulting in information security now being ‘owned’ at the highest level within 70% of the organizations surveyed.
Paul van Kessel, EY Global Risk Leader comments “This year’s survey shows that organizations are moving in the right direction, but more still needs to be done – urgently. There are promising signs that the issue is now gaining traction at the highest levels. In 2012, none of the information security professionals surveyed reported to senior executives – in 2013 this jumped to 35%.”
Ken Allan, EY Global Information Security Leader adds: “Cyber-crime is the greatest threat for organizations’ survival today. While budget allocations toward security innovation are inching their way up, enabling organizations to channel more resources toward innovating solutions that can protect them against the great unknown – the future – many information security professionals continue to feel that their budgets are insufficient to address mounting cyber risks.”
Information security departments are still feeling the pinch
Despite half of the respondents planning to increase their budget by 5% or more in the next 12 months, 65% cite an insufficient budget as their number one challenge to operating at the levels the business expects; and among organizations with revenues of US$10m or less this figure rises to 71%.
Of the budgets planned for the next 12 months, 14% is ear-marked for security innovation and emerging technologies. As current technologies become further entrenched in an organization’s network and culture, organizations need to be aware of how employees use the devices, both in the workplace and in their personal lives. This is especially true when it comes to social media, which respondents identified as an area where they continue to still feel unsure in their capability to address risks.
Ken explains: “Organizations need to be more forward-looking. Moreover, if organizations are putting all their energy into addressing current technology issues, how will they protect themselves against technologies that are just around the corner or are about to appear on the horizon? If organizations still don’t have a high level of confidence after four years of mobile device use in the workplace, how will they face the challenge of managing and defending against personal and hosted clouds for example?”
Information security departments struggle with a lack of skilled resources
Although information security is focusing on the right priorities, in many instances, the function doesn’t have the skilled resources or executive awareness and support needed to address them.
In particular, the gap is widening between supply and demand, creating a sellers’ market, with 50% of respondents citing a lack of skilled resources as a barrier to value creation. Similarly, where only 20% of previous survey participants indicated a lack of executive awareness or support, 31% now cite it as an issue.
Ken comments: “A lack of skilled talent is a global issue. It is particularly acute in Europe, where governments and companies are fiercely competing to recruit the brightest talent to their teams from a very small pool. As a result, while organizations feel they are addressing the right priorities, many indicate that they do not have the skilled resources to support their needs.”
Looking ahead Paul concludes: “Organizations must undertake more proactive thinking, with tone-from-the-top support. Greater emphasis on improving employee awareness, increasing budgets and devoting more resources to innovating security solutions is needed. The pace of technology evolution will only accelerate – as will the cyber risks and by not considering risks until they arise gives cyber attackers the advantage, jeopardizing an organization’s survival.”
For further information ,