Download Cyber-Insurance--I Do Not Think That Word

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
Document related concepts

Mobile security wikipedia , lookup

Security-focused operating system wikipedia , lookup

Enterprise risk management wikipedia , lookup

IT risk management wikipedia , lookup

Cyberattack wikipedia , lookup

Cyberwarfare wikipedia , lookup

International cybercrime wikipedia , lookup

Cyber-security regulation wikipedia , lookup

Computer security wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Transcript 
#RSAC
SESSION ID: GRC-T10
Cyber Insurance
“I don’t think it means what
you think it means”
John Loveland
Global Head of Cyber Security Strategy & Marketing
Verizon Enterprise Solutions
#RSAC
Plot
A brief history of the cyber-insurance
The current state of the market with some case studies
How and why current products fall short
What needs to happen for the product and market to mature
Getting the odds in your favor
3
A (very) brief history of cyber insurance.
#RSAC
“Fencing, fighting, torture, revenge…”
2003
CA Security Breach
Information Act
Mid 2000s
Early 2000s
•
•
•
Few providers
3rd party coverage
Threats covered:
Unauthorized access,
Network security, Viruses
•
•
•
2010s
•
•
More providers, est. $120M market
Added 1st party (IT Forensics, PR,
Credit Monitoring / Repair)
Threats: Business Interruption,
Extortion, Network Asset Damage
•
4
50+ providers / $1.2 billion
Coverage expansion:
Sophisticated threats targeting
specific computer systems and
organizations big and small
But strict sub-limits
2016
•
•
•
60+ providers just in US/
$2.5 billion industry.
Bigger carriers starting to
pull away?
Wide variety of coverages
and pricing
“We’ll never survive! Nonsense.
You’re only saying that because no one ever has.”
6
#RSAC
Current state of the market – Growing but is it
maturing?
Adoption rates
vary significantly
depending on
industry and
location
Pricing and
coverages vary
widely – as do
exceptions –
making applesto-apples
comparisons
difficult
Competition
among carriers
driving creativity
and options
6
#RSAC
Underwriting still
a matter more of
art than science
#RSAC
The perspective of the purchaser
We have a shiny new cyber-insurance policy so we’re covered … right?
7
What’s covered?
#RSAC
“Get used to disappointment.”
Payment card loss
Inadequate protection? E&O
?
Incident response costs
Clean-up of publicly disclosed
yet-to-be-exploited vulnerability
?
Third-party liability
Employee misuse
?
?
?
Fees and assessments
?
Notifications costs
Theft of IP
?
?
?
Ransomware payouts? Bit-coin
?
Legal defense
Business interruption
International locations
8
#RSAC
Real-life insurance payouts
Source: 2016 Verizon Data Breach Investigations Report
9
#RSAC
Real-world example of coverage gap
P.F. Chang’s (PFC) China Bistro Inc. v. Federal Insurance Co.
Agreement
PFC and payment
Assessmentsbetween
of the processor
triggered by
The
mandated
processor
assessments
were
processor
established
that of
PFC
would
the
data breach
were
found
to
fall
outside
of
Cyber-insurance
coverage
third
parties
was
not
found
to
be anthat
extension
of
injury
reimburse
processor
for
fees imposed
the
cyber-insurance
coverage
asathe
the
limited
to parties
suffered
data
breach.
suffered
by
PFC.
by
card brands.
processor
did not suffer injury.
Source: https://www.businessinsurance.com/article/20160602/NEWS06/160609935
10
#RSAC
Cybersecurity is more complex than ever.
“What about the R.O.U.Ss?”
Vendor
overload
Rise in
cybercrime
Shortage of
skills
Evolving cloud
technologies
Regulatory
pressures
More mobility
New digital
ecosystems
Disruptive
business
models
11
As a result, security is becoming increasingly
strategic
Single, event
Persistent threats/Continuous compromise
Perimeter
Asset-based
Company’s network
Company’s network, vendors, cloud
Technology-led
Integrated technology, process, people
Standards, best practices
Risk-based, strategic
IT visibility
Board, C-level visibility
IT Risk
Enterprise Risk
12
#RSAC12
#RSAC
To get to true risk transfer, the risk curve has to shift
Protect
Mitigate
Transfer
% Risk Elimination
+ Applied Threat
Intelligence/Integrated Security
Solutions
+ Asset-Focus/
Detection & Response
Traditional Security Efforts
$ Security Spend
13
A comprehensive risk based approach to insurance
is required to shift the curve.
Threat rates
Vulnerability to attack
14
Impact
#RSAC
#RSAC
As is standardization of incident reporting.
Victim
demographics
Attack
methods
Assets
affected
15
Type and
volume of data
disclosed
Varieties of
impact loss
But, business also play a key role in maturing the
cyber insurance industry.
Realize that
cybersecurity has
never been more
complicated or
important
Understand where
risk transference
fits into your
overall riskmanagement
program
Acknowledge
differences between
standard insurance
policies and cyberinsurance
16
Enter into a
partnership with
your insurer
#RSAC
In the meantime, your best bet is to get the odds
in your favor. “The battle of wits has begun!”
Review coverages of
existing cyber-insurance
policies
•
Identify gaps in coverage
•
Ensure all stakeholders are
part of review and future
decisions
Address gaps in coverage
•
•
Additional policies
to cover specific loss
categories
Identify nontransference
methods of risk
reduction
17
#RSAC
Understand your incident
history
•
Collect incident and breach
data
•
Determine what events
happen most often, and
which resulted
in higher impacts
#RSAC
Any questions?
Related documents
The Internet of TR-069 Things: One Exploit to
The Internet of TR-069 Things: One Exploit to
Bots—Fast Growing Bane of the Web: Crawlers
Bots—Fast Growing Bane of the Web: Crawlers
Defending the Cloud from the Full Stack Hack
Defending the Cloud from the Full Stack Hack
Section J7: FET Amplifier Design
Section J7: FET Amplifier Design
SECURITY IN THE BALTIC SEA REGION 1. Lecture
SECURITY IN THE BALTIC SEA REGION 1. Lecture
TODAY’S TECHNOLOGY CAN CHANGE IN THE BLINK OF AN EYE.
TODAY’S TECHNOLOGY CAN CHANGE IN THE BLINK OF AN EYE.
Siemplify, a fast-growing cyber security start
Siemplify, a fast-growing cyber security start
Document
Document
Artificial Intelligence Engineer
Artificial Intelligence Engineer
DISTRIBUTED OPERATING SYSTEM
DISTRIBUTED OPERATING SYSTEM
Maritime Cyber Vulnerabilities in the Energy Domain
Maritime Cyber Vulnerabilities in the Energy Domain