Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Mobile security wikipedia , lookup
Security-focused operating system wikipedia , lookup
Enterprise risk management wikipedia , lookup
IT risk management wikipedia , lookup
Cyberattack wikipedia , lookup
Cyberwarfare wikipedia , lookup
International cybercrime wikipedia , lookup
Cyber-security regulation wikipedia , lookup
#RSAC SESSION ID: GRC-T10 Cyber Insurance “I don’t think it means what you think it means” John Loveland Global Head of Cyber Security Strategy & Marketing Verizon Enterprise Solutions #RSAC Plot A brief history of the cyber-insurance The current state of the market with some case studies How and why current products fall short What needs to happen for the product and market to mature Getting the odds in your favor 3 A (very) brief history of cyber insurance. #RSAC “Fencing, fighting, torture, revenge…” 2003 CA Security Breach Information Act Mid 2000s Early 2000s • • • Few providers 3rd party coverage Threats covered: Unauthorized access, Network security, Viruses • • • 2010s • • More providers, est. $120M market Added 1st party (IT Forensics, PR, Credit Monitoring / Repair) Threats: Business Interruption, Extortion, Network Asset Damage • 4 50+ providers / $1.2 billion Coverage expansion: Sophisticated threats targeting specific computer systems and organizations big and small But strict sub-limits 2016 • • • 60+ providers just in US/ $2.5 billion industry. Bigger carriers starting to pull away? Wide variety of coverages and pricing “We’ll never survive! Nonsense. You’re only saying that because no one ever has.” 6 #RSAC Current state of the market – Growing but is it maturing? Adoption rates vary significantly depending on industry and location Pricing and coverages vary widely – as do exceptions – making applesto-apples comparisons difficult Competition among carriers driving creativity and options 6 #RSAC Underwriting still a matter more of art than science #RSAC The perspective of the purchaser We have a shiny new cyber-insurance policy so we’re covered … right? 7 What’s covered? #RSAC “Get used to disappointment.” Payment card loss Inadequate protection? E&O ? Incident response costs Clean-up of publicly disclosed yet-to-be-exploited vulnerability ? Third-party liability Employee misuse ? ? ? Fees and assessments ? Notifications costs Theft of IP ? ? ? Ransomware payouts? Bit-coin ? Legal defense Business interruption International locations 8 #RSAC Real-life insurance payouts Source: 2016 Verizon Data Breach Investigations Report 9 #RSAC Real-world example of coverage gap P.F. Chang’s (PFC) China Bistro Inc. v. Federal Insurance Co. Agreement PFC and payment Assessmentsbetween of the processor triggered by The mandated processor assessments were processor established that of PFC would the data breach were found to fall outside of Cyber-insurance coverage third parties was not found to be anthat extension of injury reimburse processor for fees imposed the cyber-insurance coverage asathe the limited to parties suffered data breach. suffered by PFC. by card brands. processor did not suffer injury. Source: https://www.businessinsurance.com/article/20160602/NEWS06/160609935 10 #RSAC Cybersecurity is more complex than ever. “What about the R.O.U.Ss?” Vendor overload Rise in cybercrime Shortage of skills Evolving cloud technologies Regulatory pressures More mobility New digital ecosystems Disruptive business models 11 As a result, security is becoming increasingly strategic Single, event Persistent threats/Continuous compromise Perimeter Asset-based Company’s network Company’s network, vendors, cloud Technology-led Integrated technology, process, people Standards, best practices Risk-based, strategic IT visibility Board, C-level visibility IT Risk Enterprise Risk 12 #RSAC12 #RSAC To get to true risk transfer, the risk curve has to shift Protect Mitigate Transfer % Risk Elimination + Applied Threat Intelligence/Integrated Security Solutions + Asset-Focus/ Detection & Response Traditional Security Efforts $ Security Spend 13 A comprehensive risk based approach to insurance is required to shift the curve. Threat rates Vulnerability to attack 14 Impact #RSAC #RSAC As is standardization of incident reporting. Victim demographics Attack methods Assets affected 15 Type and volume of data disclosed Varieties of impact loss But, business also play a key role in maturing the cyber insurance industry. Realize that cybersecurity has never been more complicated or important Understand where risk transference fits into your overall riskmanagement program Acknowledge differences between standard insurance policies and cyberinsurance 16 Enter into a partnership with your insurer #RSAC In the meantime, your best bet is to get the odds in your favor. “The battle of wits has begun!” Review coverages of existing cyber-insurance policies • Identify gaps in coverage • Ensure all stakeholders are part of review and future decisions Address gaps in coverage • • Additional policies to cover specific loss categories Identify nontransference methods of risk reduction 17 #RSAC Understand your incident history • Collect incident and breach data • Determine what events happen most often, and which resulted in higher impacts #RSAC Any questions?