10.2 - Cyber Risk Flashcards
Explain cyber risk and its impact on the insurance industry
Definition - “Cyber Risk”
Any risk of financial loss, disruption of business, or damage to an organization’s reputation due to a failure of its information technology systems
3 general categories of Cyberattack
- Deliberate and unauthorized breaches of security in order to access information systems for the purpose of espionage, extortion, or embarrassment of an organization, such as ransomware to lock businesses out of their systems until they pay a ransom; malware including viruses, worms, or spyware; and online phishing scams
- Unintentional or accidental security breaches, such as losing a memory stick or a laptop
- Operational IT risks, such as failing to install firewalls, failing to keep a security software up to date, using passwords that are weak and easy to decode, or not implementing multi-factor authentication
Situations that create a cyber risk
-a rapidly spreading virus is released on the Internet and infects an organization’s system when an employee clicks on the link to the site
-an employee’s laptop is stolen from their vehicle
-Ransomware is embedded in the organization’s network, which shuts down access until a ransom is paid
-hackers set up a program to randomly check the organization’s network security and crack employee’s passwords, which allows them full access to the company’s system
-a fake email is sent to employees asking them to send the CEO all their research on a new technology the organization is developing
-an email is sent to a company asking to pay a fake invoice. An employee pays the invoice to an untraceable account and the monies are gone
Losses to Organizations from Cyber risks
Direct Losses:
-costs to fix and restore systems, duplicate data, and reinstall software
-ransom or extortion payments
-funds directly lost due to fraud
-costs to defend and settle lawsuits
Indirect losses result from the direct damage the incident causes, such as the impact on the organization’s earning and future profits, and can include the following:
-extra expenses - to manage the crisis, such as communications and public relations costs
-accounting and other professional fees - to determine the extent of the loss
-loss of competitiveness - if intellectual property like trade secrets are stolen and the organization cannot realize the profits it expected in the time period predicted
-loss of business - if customers feel they cannot trust the organization to hold their personal information securely, causing them to move their business to other firms; if financial markets do not believe the organization is well managed, the organization’s share value may decline
-loss of opportunity - if the organization has to change its strategic plan, plans to grow or expand may be delayed or cancelled, or key employee resources may have to be redeployed to manage the crisis
-a post-loss plan should include all the steps the business needs to take after detecting a cyber attack or data breach
-it should identify who is responsible for each step and who will coordinate the team
-it should include a list of emergency contacts, such as an IT security expert
-if data has been released, it is important to identify what happened as soon as possible so the system can be secured
-it is also important to identify exactly what information has been disclosed so that the business can respond appropriately
-privacy legislation and insurers may require the organization to take certain actions, if so, these requirements should be noted in the plan
2 Key areas of Cyber Risk Exposures
-organizations need to integrate cyber risk management into their overall enterprise risk management strategy
-two key areas need to be addressed:
- Behaviour Management
- Systems and technology Management
- Behaviour Management
-cyber criminals manipulate individuals to open a door into a system by a variety of methods: phishing, or sending emails asking individuals to click on a link or send information; embedding a virus or spyware in email attachments; spear-phishing, or sending targeted emails that appear to be from a legitimate source; and setting up fake websites or infecting real websites that employees or individuals are likely to visit
-organizations can mitigate this risk by ensuring all individuals involved, including customers, are aware of cyber risks
-behaviour management also includes developing policies and awareness training on cyber security, use of personal electronic devices, and social media
-training should encourage employees to ask themselves three questions before they act:
> Does it make sense?
> Does it follow an established process?
> Was I expecting it?
- Systems and Technology Management
-every technology system has weaknesses, and cyber criminals set up programs to detect such weaknesses
-for example, they use denial of service attacks, where a network or server is flooded with traffic to make it unavailable to users
-worms and viruses are used to take control of a computer, generate money, steal sensitive information, or disable a computer or network
-malicious software updates to common programs are employed to allow access to secure systems once installed
-a number of technical solutions and strategies reduce this type of risk
-individuals and organizations can stay up to date with technology and security best practices
-they can address vulnerabilities as they are discovered by software companies
-as well, maintaining a consistent and clear approach to cyber security will help thwart unwanted attacks
Cyber Risk Insurance
-cyber risk insurance package policies include coverage for the following perils:
> TP liability
> Cyber Crime
> Extra expense
> Business interruption losses (resulting form a cyberattack or data breach)
> crisis-management consulting services (to guide the organization on how to manage communications after a loss
-coverage may be offered individually (as a standalone policy) or as part of a business package policy
-there is no standard policy wording, so intermediaries should carefully compare policies before recommending coverage to their clients
-the following perils can be insured under cyber risk policies:
> Theft of data resulting in a privacy breach
> unintentional transmission of a computer virus
> network systems that become unavailable to TPs due to a failure in security
> allegations of copyright or trademark infringement, libel, slander, defamation, or various social media activities
Cyber Liability Coverage
-TPs may suffer damage as a result of a cyberattack or data breach to an insured
-cyber liability insurance typically covers legal defence costs and damages awarded for lawsuits arising from certain specified perils
-for example, an organization’s customers may become the victims of identity theft by cyber criminals using the organization’s data
-if an organization fails to adequately secure its systems, it could be liable for damages suffered by its customers
-Optional cyber liability coverages include the following:
> Regulatory defence expenses
> Punitive damages
> Arbitration expenses
> Criminal rewards for information leading to the arrest and conviction of the cybercriminal responsible for the loss
-specialized coverage may also be available to cover an organization’s directors and officers liability exposure; for example, if shareholders sue the board of directors when a data breach harms the corporation’s reputation
-Directors and officers coverage is typically on an all-risks basis and subject to exclusions, such as excluding intentional or illegal acts of a board member
Exclusions to Cyber Risk Insurance
-cyber risk insurance typically excludes hard-to-quantify losses, such as reputation damage, lost intellectual property, some class action lawsuits, and future losses, such as the loss of competitiveness
-sometimes it is hard to quantify a loss
-consider the damage done to an organization’s reputation, how would an insurer calculate such a loss?
-loss of sales and customers after an attack could be calculated, but the loss of reputation could influence potential future customers to avoid dealing with the organization
-there is no way to determine the full extent of such a loss
Cyber Risk Coverage in Property Insurance Forms
-property insurance policies often include some limited coverage for cyber risks
-policies typically cover direct damage to electronic equipment and lost data from certain perils, such as lightening
-coverage usually includes the cost of restoring or replacing data that were destroyed or damaged in the same event
-coverage may also extend to cover lost data from malware, either as part of a business package policy, or under a standalone policy
-availability of coverage depends on the technology organizations use and their level of exposure
-coverage is typically limited to damage caused by computer viruses, harmful codes, or harmful instructions entered into a computer system or network
Specialized polices for Other Costs and Services
-Businesses may suffer a direct loss of funds through extortion or fraud, damage to their systems or software, or an interruption in their operations as a result of a cyberattack
-they may also face unexpected expenses after an attack or data breach incident
-specialized coverage is available to cover many of these exposures, including the following:
> Loss/corruption of data - covers the cost to replace lost or damaged data caused by viruses, malicious code, or spyware
> Business interruption - covers losses that occur when an organization’s network is attacked and the organization is unable to or has limited ability to conduct business, including business income, extra expenses, forensic expenses, and contingent business interruption
> cyber extortion - covers payment or settlement of an extortion threat against an organization’s network and the costs of hiring investigators to track down and negotiate with blackmailers
> crisis management - covers the costs of notifying consumers of a release of private information, providing credit-monitoring and other remediation services in the event of a covered incident, and hiring specialty public relations assistance or advertising to rebuild the organization’s reputation following an incident
> Data Brach - covers expenses and legal liability from a data breach, including access to services to support business owners in complying with regulatory requirements and addressing customer concerns
> identity theft - covers costs of setting up a call centre to specifically address customer or employee concerns when personal information of customers or employees is stolen
> Social Media/networking - covers some social media liability exposures, such as online defamation, advertising, libel, and slander (but there are limited market offerings of this type of coverage)
Factors to Consider when recommending Cyber Insurance
-what security is already in place?
-what security needs to be in place?
-where are their cloud accounts located?
-which risks can be avoided, retained, or controlled?
-which risks need to be insured (or transferred)?
-what kinds of personal information are being stored?
-how many records with sensitive information could be accessed?
-do clients rely on TP services or provide services to others?
-what are the possible outcomes if a data breach is not detected immediately?
Blockchain
-Blockchain is a technology platform that enables distributed ledger technology (DLT)
-the distributed ledger contains transactions that are technologically, permanently recorded on a blockchain in such a way that they cannot be erased or tampered with; they can only be sequentially updated
Key features of Blockchain
-a block on the blockchain is essentially a record that is encrypted, time and date stamped, and then linked (chained) to previous blocks through what it known as a merkle tree
-blocks on the chain are locked, showing the full history of a transaction
-because the ledger is made up of “append-only” blocks, to manipulate or change a block, a hacker would also have to change all subsequent blocks
-because the ledger is continually reconciling among the different nodes, there is only one version of the truth and there can be no single point of failure
-hypothetical vulnerability scenario - known as a 51% attack could occur if a party controlled 51% of the nodes representing the blockchain/. By controlling a majority of the network, an attacker could “double-spend” by tampering with the distributed ledger to show that a false transaction took place
-a distributed ledger eliminates the need for multiple databases and the errors that arise from maintaining and transferring data among them
-a downside is that the search functionality of a blockchain may not be as good as is currently available with a typical databased
-the nodes that make up the network of ledgers do not merely maintain a copy of transactions
-they are continually synced through a protocol referred to as a consensus
-each nodes helps to keep the transaction history correct by working to “agree” with all other nodes about the contents of the ledger
-this makes the chain extremely reliable, tamper-resistant, and trustowrthy
-the state of agreement between the blockchain nodes is achieved through the use of consensus algorithms
