Using Insurance to Mitigate Cybercrime Risk - Cap Gemini Report
While technological advancements, evolving computer data systems, and internet access offer significant benefits to businesses and their customers, a major challenge that comes with the increased use of technology is an increase in the risk of cybercrime attack. Cybercrime has significant financial and non-financial implications for businesses.
To prevent cyber crime incidences, most companies employ cyber-security measures which include a combination of technology and security procedures. However, since cyber attackers are continuously discovering new ways to exploit vulnerabilities, cyber security alone cannot prevent all potential attacks.
This paper looks at how cybercrime insurance can protect companies from the costs of cybercrime. We explore the challenges for insurance companies offering cybercrime policies, analyze the required investments, and provide recommendations.
Financial Management of Cyber Risks
An Implementation Framework for CFOs
Business is currently on the front lines of a raging cyber war that is costing trillions of dollars and endangering our national security.
Effective, low-cost mechanisms are already in place to shield against many elements of the cyber threat. But too often executive leaders wait until they are compromised to put a reactive plan into action, damaging their company’s reputation and incurring additional cost.
Greater understanding and guidance are needed to help businesses bolster information security and reduce vulnerability to cyber attacks.
That is why the Internet Security Alliance (ISA) and the American National Standards Institute (ANSI) have developed this free, easy-to-use action guide, which brings together the independent research and the collective wisdom of more than sixty experts from industry, academia, and government.
All of these experts agree: the single biggest threat to cybersecurity is misunderstanding.
Most enterprises today categorize information security as a technical or operational issue to be handled by the information technology (IT) department.
This misunderstanding is fed by outdated corporate structures wherein the various silos within organizations do not feel responsible to secure their own data. Instead, this critical responsibility is handed over to IT, a department that, in most organizations, is strapped for resources and budget authority. Furthermore, the deferring of cyber responsibility inhibits critical analysis and communication about security issues, which in turn hampers the implementation of effective security strategies.
In reality, cybersecurity is an enterprise-wide risk management issue
that needs to be addressed from a strategic, cross-departmental, and economic perspective.
The chief financial officer (CFO), as opposed to the chief information officer (CIO) or the chief security officer (CSO), is the most logical person to lead this effort.
This publication was created to provide a practical and easy-to-understand framework for executives to assess and manage the financial risks generated by modern information systems:
The Report can be found at: http://webstore.ansi.org/cybersecurity.aspx
Privacy Risk Management
The personal data have to be distinguished from other information within information systems.
They can represent a value to the organization that processes them. But their processing causes alsode factoa significant liability due to the risks brought upon on the privacy of data subjects.
They have value for data subjects as well. They can be useful for administrative or commercial purpose, or may even contribute to their image. But security breaches in data protection can also cause physical injury, material and moral damage.
Finally they have a value for others. This includes a market value if they are exploited for commercial purposes (spam, targeted advertising…), or a nuisance value in the case of unfair actions (discrimination, refusal of access to benefits, dismissal…) or malicious actions (identity theft, defamation, threats, blackmail, burglary, assault…).
Since a controller processes personal data, he has to comply with [Act-I&L].
First, he has to ensure that the purposes of the processing of personal data are defined, that the collected data are relevant to these purposes, and that they are deleted at the end of a determined period.
He also has to ensure that data subjects are informed and can exercise their rights (opposition, access, rectification and deletion). Whether these rights are taken into account at the level of the organization and whether the exercise of these rights is effective, have to be assessed.
In addition, he has to ensure the security of the data he processes. [Act-I&L] states in Article 34 the obligation for any controller to "take all useful precautions, with regard to the nature of the data and the risks of the processing, to preserve the security of the data." It is therefore necessary to identify the risks related to the processing of personal data before determining the appropriate means to reduce them.
Finally, he has to meet specific requirements that apply to its processing and data processed, especially when it comes to sensitive data, when personal data is transferred outside the European Union, etc.
To this end, it is appropriate to adopt a global vision, that goes beyond the framework of the organization's activities and the purposes determined for its processing, and allows to study impacts on individuals concerned by those data.
The Report can be found at:http://www.cnil.fr/fileadmin/documents/en/CNIL-ManagingPrivacyRisks-Methodology.pdf
Guide To Cyber Risks Management
Sponsored by Chartis
It’s a Cliché to say the internet is everywhere – but it’s true. The numbers are simply staggering.
The Social Revolution on YouTube claims there are 9 billion connected devices worldwide at the moment and that will increase to 24 billion in the next eight years. The European Union claims that in 1995 just 1% of Europeans had access to a computer at home – by 2011, 73% had access to the internet at home.
And the numbers are only going to grow. Delivery may change but access and connectivity are not going away.
Businesses rely on their systems to operate internally and to communicate with customers, all day every day.
So it is no wonder that cyber risks have moved up the agenda. The European Commission estimates that more than 1 million people worldwide are victims of cyber crime every day, while PwC reports global cyber security spending was expected to reach $60bn (£37bn) in 2011 and is forecast to grow at 10% every year during the next three to ﬁve years.
Its report claims the USA accounts for more than half of all security deals globally. This is no surprise, with the USA remaining a litigious society where privacy is closely guarded. However, new regulations being developed in the EU could soon enforce more stringent requirements across Europe too. Suddenly, cyber liability is becoming a boardroom issue. Directors have a responsibility to address the risk or face the very real threat of angry shareholders and personal claims against them for dereliction of duties. Cyber insurance has been available for a number of years but it too is evolving to meet the new challenges. More capacity is coming into the market and cover is adapting to match the demands of customers who need to shift cyber risks off their balance sheets.
Research by Chartis suggests 25% of ﬁrms purchase cover in the USA, where laws, litigation and knowledge are all conducive to high demand. In Europe the number would be less than 5%, according to Chartis, hence the scope for growth is huge. Many of the companies asked said they could aff ord to self-insure – brokers and insurers are seeing this attitude change as the regulatory requirements toughen up and companies realise the potential cost of a cyber attack.
According to the ﬁfth annual US Cost of a Data Breach Study by the Ponemon Institute, the cost of an event per record is rising at 9.2% every year in the USA and has already breached the $200 per customer record levels. Ponemon also found the average total per-incident costs in 2009 were $6.75m, up from $6.65m in 2008. Consider that Sony had 77m customers affected by its data breach in April 2011 and the ﬁgures could be enormous.
The Report can be found at:
Insurability of Cyber Risk: An Empirical Analysis
Christian Biener, Martin Eling and Jan Hendrik Wirfs
This paper discusses the adequacy of insurance for managing cyber risk. To this end, we extract 994 cases of cyber losses from an operational risk database and analyze their statistical properties. Based on the empirical results and recent literature, we investigate the insurability of cyber risk by systematically reviewing the set of criteria introduced by Berliner (1982). Our findings emphasize the distinct characteristics of cyber risks compared to other operational risks and bring to light significant problems resulting from highly interrelated losses, lack of data, and severe information asymmetries. These problems hinder the development of a sustainable cyber insurance market. We finish by discussing how cyber risk exposure may be better managed and make several suggestions for future research.
A Taxonomy of Operational Cyber Security Risks James J. Cebula Lisa R. Young
This report presents a taxonomy of operational cyber security risks that attempts to identify and organize the sources of operational cyber security risk into four classes: (1) actions of people, (2) systems and technology failures, (3) failed internal processes, and (4) external events. Each class is broken down into subclasses, which are described by their elements. This report discusses the harmonization of the taxonomy with other risk and security activities, particularly those described by the Federal Information Security Management Act (FISMA), the National Institute of Standards and Technology (NIST) Special Publications, and the CERT Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVE®) method.
What Might "Forward Thinking" Risk Managers Do?
Cyber Risk and Insurance
Managing cyber risks with insurance.
Key factors to consider when evaluating how cyber insurance can enhance your security program
Managing cyber risks to sensitive information assets and systems is a top priority for most companies. That’s because the scope, severity, and costs of cyber-attacks are increasing, whether these attacks seek to damage data and systems or steal sensitive information such as trade secrets or personal data. Many are finding that cyber insurance can be an effective tool to help manage these risks.
Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age
With the increasing cost and volume of data breaches, cyber security is quickly moving from being considered by business leaders as a purely technical issue to a larger business risk. This shift has spurred increased interest in cyber insurance to mitigate the cost of these issues. In a new study sponsored by Experian® Data Breach Resolution, Ponemon Institute surveyed risk management professionals across multiple sectors that have considered or adopted cyber insurance. Based on responses, many understand that security is a clear and present risk. Indeed a majority of companies now rank cyber security risks as greater than natural disasters and other major business risks.
The Risk Manager’s Role in Mitigating Cyberrisk - by Kevin P. Kalinich
With cyberrisks becoming more prevalent, organizations in every industry and faced with the increased possibility of legal exposure, reputational harm and business interruption that can wreak havoc on a company’s bottom line. As a result of the potential losses, risk managers must become more educated on matters relating to the financial impact of cyberexposures and assist corporate directors and officers in satisfying fiduciary duties to protect their company’s assets. After identifying, qualifying and quantifying their cyberrisks, risk managers should consider the following steps to protect their organizations:
1. Implement a Cybermitigation Policy
While proactive measures to mitigate risk can be costly and time consuming, they are far less demanding than the consequences of a serious breach. Moreover, having a robust, well-documented program to monitor cyberrisks may provide favorable evidence of the company’s efforts, thus reducing liability should an incident occur.
A cybermitigation program should start with the following:
- Implement IT security access, use and protection policies and procedures. Note that insurance underwriters will rely on third-party security assessments when conducting due diligence to quote a premium and coverage for cyberinsurance
- Assist legal with contractual allocation of liability
- Train and monitor employees, subcontractors, third parties and others regarding such best practices. Updates to written policies and procedures with ongoing training assists in creating a culture of best practices.
- Model the range of potential frequency and severity of losses from cyberincidents for your unique industry and entity specific circumstances
- Determine the entity’s risk appetite to retain, mitigate and transfer cyberexposures compared to the entity’s overall enterprise risk management
Capable risk management advice, combined with legal and IT security, can not only prevent or limit information security breaches, but can mitigate the most adverse consequences of such breaches.
In light of the increased significance of cybersecurity matters, it is essential that corporations develop a comprehensive program. A team consisting of IT, legal, risk management, CIO, security, human resources, product development, sales, marketing and other pertinent personnel should be involved in developing and executing the program.
Risk managers should advise their IT security department to audit and regularly review reliance on different forms of technology (i.e., computers, smartphones, tablets, USBs) and ensure that various uses of such technology (i.e., work, social media, personal use) are appropriately regulated in company IT and/or social media policies and guidelines.
2. Evaluate Third-Party Providers
Vendors, suppliers, consultants, IT providers and a range of other third parties have occasion to access various types of confidential corporate information. A risk assessment should be conducted for each third-party provider and, depending on the type of data being shared, additional steps should be considered to prevent security breaches. Risk managers should evaluate a range of questions, including:
- How does the provider erect security walls between data from different customers?
- Who will have access to the information and is encryption possible?
- Will customers be notified that their information will be stored in a cloud?
- Does the cloud provider have its own adequate insurance coverage (possibly requesting that your organization be named as an “additional insured”)?
- Is some information simply too sensitive to turn over to a third party?
Third parties should, at a minimum, be expected to accept inclusion of language in which they warrant that they are in compliance with applicable laws relating to information privacy and security. Contracts should contain indemnification provisions that commit the third-party providers to indemnify you should a security or privacy breach occur.
Risk managers may discover that their organization is unaware of which vendors and suppliers have access to your confidential data, such as personally-identifiable information on customers and employees, or proprietary information about the company’s products. The first step in implementing a system to manage this exposure is to identify the various suppliers and vendors and to determine precisely what type of information each third-party entity is being sent (or otherwise accessing). A robust audit is essential. These audits should examine not only the outsourced IT service providers, such as storage providers, but also any other type of third-party organization or individual who might have access to corporate data.
Risk management should consider the benefits of implementing a data breach management policy to address and outline internal corporate prevention, detection and incident response processes in response to a security breach. It could help in defending an allegation that the company failed to take reasonable care in handling a data security breach.
3. Review Possible Coverage Under Existing Insurance Policies
While some categories of losses might be covered under standard policies, many gaps often exist. In the United States, insurers are filing declaratory judgment actions against their insureds to deny coverage for cyberexposures under property, general liability, professional liability and crime policies. Some courts are finding that these traditional policies, such as property policies, do not cover the types of intangible harm that results from data breaches. Coverage may also be denied if intentional acts are excluded from coverage.
Property, general liability, crime/bond, D&O, professional liability, and kidnap and ransom insurance may apply in the event of a cyberincident. Many breached entities and other responsible parties have been aided tremendously by their insurance policies. Business-to-business firms (predominantly technology centric) that participate in the personally identifiable information (PII) chain can blend cybercoverage into a commercial errors and omissions policy to contemplate a large percentage of the risks, but such firms continue to struggle to ensure insurability where their technology and information asset exposures evolve on a regular basis. Insurers are also denying coverage under professional liability/errors and omissions and D&O policies, with mixed outcomes in the courts.
Risk managers should work with their insurance broker to analyze such policies and determine any potential gaps in existing coverage as cyberevents have the ability to impact numerous lines of insurance coverage.
4. Consider Specific Cyberinsurance to Fill Any Obvious Gaps
Insurance specifically designed to cover the unique exposures of data privacy and security can act as a backstop to protect a business from the financial statement harm resulting from a breach. Coverage for cyberlosses generally fit into two categories, depending on the nature of the event:
- First-party financial loss: The party that experienced the cyberevent suffers financial losses or costs associated with the event. The most commonly cited examples include costs associated with data breach response and lost income attributable to network/IT interruption.
- Third-party financial loss: A party other than that which experienced the cyberevent suffers financial losses or costs associated with the event. This could be a customer, business partner, employee or unrelated third party, such as lost personally identifiable information or supply chain disruption.
Available policies can cover privacy breach notification and crisis management, regulatory defense and civil penalties, and liability resulting from a breach. Limits of more than $300 million are available, with premiums ranging from $5,000 to $50,000 per $1 million of coverage, depending upon the retention, losses, revenue, scope of business and risk mitigation employed.
The application process is becoming streamlined whereby multiple carriers will quote pricing, terms and conditions based on one common application. However, it is well advised to develop a comprehensive list of specific priority coverage grants and dictate such requests to the insurance carriers in the form of a submission priority coverage matrix. Policy wording is paramount to successful coverage.
Some policies include first-party network business interruption – to cover loss of revenue during network interruption; information asset – to cover restoration costs or loss of value associated with electronic data; cyberextortion – to pay an extortion threat if doing so successfully wards off a cyberevent; and contingent business interruption – to cover loss of revenue during the downtime of a critical outsourced IT provider (i.e., cloud services).
Given the exposures and constantly evolving risks associated with cyberevents that could cripple companies, industries and critical infrastructures, prudent insureds should review their insurance program with their insurance broker and seek out professionals who understand the cyberinsurance market before those catastrophic events take place. Organizations must understand the insurance coverage they have and just as importantly, understand what cyberinsurance coverage they deliberately decided not to purchase. A good risk manager can help its organization understand the options and alternatives for cyberinsurance thereby giving the insured the proper information to make an educated decision as to what type and how much insurance will be in place for the next big cyberattack.