Jake Kouns, CISO of Risk Based Security, discusses integrating cyber insurance into an organization's risk management program. He provides an overview of the current state of security and data breaches. Kouns explains how cyber insurance can help transfer risk by covering costs associated with a breach like notification, forensics and liability claims. Organizations should continue investing in security controls while also considering cyber insurance to recover from an incident and protect the business.
Simulation-based Testing of Unmanned Aerial Vehicles with Aerialist
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake Kouns
1. Integration of Cyber Insurance Into A
Risk Management Program
Jake Kouns, Co-founder and CISO
CODE BLUE
30 October, 2019
Tokyo
Jake Kouns
@jkouns / @riskbased
jake@riskbasedsecurity.com
www.riskbasedsecurity.com
2. RISKBASE D SEC URITY.COM
About The Speaker: Jake Kouns
• CISO at Risk Based Security
• Previous OSVDB & DataLossDB
• Previous Director of Technology Risks Underwriting at Markel
• Cyber Liability Insurance “Expert”
• Spoke at DHS & Pentagon about Cyber Insurance
• Vulnerability Intelligence & Vendor Risk Ratings
• Spoke at Black Hat, DEF CON, RSA, FIRST, InfoSecWorld, DerbyCon and
many more!
4. RISKBASE D SEC URITY.COM
State of Security – Data Breaches
Over 43,000 Data Breaches reported all time!Source: https://www.cyberriskanalytics.com
5. RISKBASE D SEC URITY.COM
2019 Mid Year Breach Analysis
• 3,813 breaches were reported
• 4.1 billion records exposed
• Compared to Mid Year 2018:
• The number of reported breaches was up 54%
• The number of exposed records was up 52%
On track for yet another worst year ever…
Source: https://www.cyberriskanalytics.com
6. RISKBASE D SEC URITY.COM
Data Breach – Ticking Time Bomb?
Only a matter of when
for most organizations?
7. RISKBASE D SEC URITY.COM
Data Breach - What Does It Actually Cost?
Data Breaches cost organizations money!
9. RISKBASE D SEC URITY.COM
Reality of Risk
Risk
Accept
Transfer
Avoid
Mitigate
10. RISKBASE D SEC URITY.COM
Transfer Options
• Outsourcing
• Contracts & Agreements
• Insurance
11. RISKBASE D SEC URITY.COM
Why Purchase Insurance?
• Insurance is purchased for numerous reasons:
• Reducing liability
• Loss recovery
• Legal requirements
• Securing loans and/or investments
• Improving business image and stability
• Peace of mind
• Typically purchased for most valuable assets
16. RISKBASE D SEC URITY.COM
Why do people hate haven’t more
organizations bought Cyber
Liability?
They have “unbreakable” security controls?
They think the coverage won’t last or respond?
They don’t believe its a good spend of budget?
They are not aware of the market?
Something else?
Perhaps, organizations don’t truly understand it?
18. RISKBASE D SEC URITY.COM
Is the Bad Reputation Well Deserved?
19. RISKBASE D SEC URITY.COM
Is the Bad Reputation Well Deserved?
20. RISKBASE D SEC URITY.COM
Most situations appear to have
a “valid” reason, although a few
situations presented a concern.
21. RISKBASE D SEC URITY.COM
Many Names, Many Carriers
• Cyber Liability
• Privacy Injury Liability
• Network Security Liability
• Data Privacy
• Theft of Digital Identification
• Cyber Extortion
• Internet Liability
Little Commonality
23. RISKBASE D SEC URITY.COM
First Party
Pays to fix the things we own
when damaged
Third Party
Pays others when our actions
(or inaction) causes harm
As a result of a security event including
data breach or compromise
25. RISKBASE D SEC URITY.COM
Why Does This Matter?
Because it means organizations can buy a cyber policy that
can cover both:
• Security event recovery costs, and
• Protection from lawsuits arising out of a data compromise
It is important to identify the types of incidents that may
impact you!
26. RISKBASE D SEC URITY.COM
Breach Notice Compliance
• Forensics
• Legal fees
• Mailings
• Credit Monitoring
• Identity protection
Liability
• Defense costs
• Settlements
• Responding to regulatory
investigations
• Costs to reissues credit or debit
cards
• Website & Social Media
Other 1st Party
• System Restoration & Extra Expense
• Payment of Extortion Demands & Lost Business
27. RISKBASE D SEC URITY.COM
Not all cyber insurance
policies are the same!
28. RISKBASE D SEC URITY.COM
As helpful as some of
these policies can be,
expect some things not
to be covered..
30. RISKBASE D SEC URITY.COM
Regular maintenance Upgrades Fixes
31. RISKBASE D SEC URITY.COM
The economic value
of data
Data or systems in
the care, custody or
control of others
32. RISKBASE D SEC URITY.COM
Coverage: Not So Common Exclusions
• Failure to encrypt data
(mobile devices)
• Failure to maintain or take
reasonable steps to
maintain security
• Coverage limited to web site
and Internet activities only
• Widespread virus/spyware
• Failure to comply with PCI
standards
• Wireless
• Cloud / SaaS
• Business Income Loss
• Contingent Business
Interruption
33. RISKBASE D SEC URITY.COM
Not all cyber insurance
policies are the same!
Yes, you need to read the policy!
Or… hire someone to do it for you =)
34. RISKBASE D SEC URITY.COM
Integrating Cyber
Liability Insurance
35. RISKBASE D SEC URITY.COM
Integrating Insurance
Executives understand risk:
• Avoid, Mitigate, Accept and Transfer
Organizations understand the need to protect their most
important assets and transfer risk already:
• Property (Buildings)
• Casualty Coverage (Accidents)
• Employment Practices Liability & Workers Comp (People)
• Professional Liability - Errors and Omissions
36. RISKBASE D SEC URITY.COM
Integrating Insurance – Perfect Security
37. RISKBASE D SEC URITY.COM
Integrating Insurance – Law of Diminishing Returns
38. RISKBASE D SEC URITY.COM
Integrating Insurance – Optimal Security
39. RISKBASE D SEC URITY.COM
Integrating Insurance
Let us estimate costs for a security program for a small business
(Approximately USD $2-5M revenue)
• Security Staff
• Security Software / Hardware
• Antivirus, Encryption, Firewall, IDS, DLP, Compliance, Scanners, etc.
• Security Consulting
• External Vuln Scans, Pen Tests, PCI compliance, Legal, Awareness, etc.
40. RISKBASE D SEC URITY.COM
Integrating Insurance
For sake of argument…
• Let’s say it costs a business with USD $2-5M in revenues
spends approximately USD $200,000/per year on security
• Not including initial investment costs
• This estimate is extremely low if they are to implement
proper security
• Should they be spending more?
• Does this ensure that they won’t have a breach?
41. RISKBASE D SEC URITY.COM
Integrating Insurance
• Typical costs for Cyber Insurance are currently extremely
reasonable
• Minimum premiums can be USD $1,000 for USD $1M in
coverage
• Includes many Risk Management Services
• Pricing can change based on industry and controls
• Many smaller companies confused by security and are not
yet doing anything
42. RISKBASE D SEC URITY.COM
Integrating Insurance
• Larger organizations can also get Cyber Insurance for a reasonable cost
• Large hospital with USD $2B in revenues premium estimates:
• <$100,000 for USD $1M in coverage
• <$200,000 for USD $5M in coverage
• Limits are available up to USD $250M, and large towers can be built
• Pricing can change based on industry & controls
• Larger organizations don’t typically use Risk Management Services, but
can utilize service rates
43. RISKBASE D SEC URITY.COM
Not all cyber insurance policies are
the same!
nor
are they priced the same!
Yes, you need to shop around!
44. RISKBASE D SEC URITY.COM
Despite some limitations,
there is real value found in
these cyber insurance policies.
45. RISKBASE D SEC URITY.COM
Interest On The Rise! – Cyber Insurance
50. RISKBASE D SEC URITY.COM
Love It or Hate It: What
You Need To Know
51. RISKBASE D SEC URITY.COM
What You Need To Know
• If your organization doesn’t have cyber insurance, it
will most likely soon!
• Information Security professionals and responders
need to know about cyber insurance
• Help fill out the applications and ensure proper coverage!
• Know what cyber insurance will cover!
• Ensure the requirements of a cyber policies are met to
ensure coverage will not be nullified.
52. RISKBASE D SEC URITY.COM
What You Need to Know: Incident Response Processes
53. RISKBASE D SEC URITY.COM
What You Need to Know
• Most companies have focused on creating and
defining Incident Management teams and
processes
• Some organizations had the unfortunate
opportunity to test those processes and have
responded to an incident and/or data breach
• With Cyber Insurance, there are several
processes that might need to change
• Much is based on the specific carrier/policy selected
54. RISKBASE D SEC URITY.COM
What You Need to Know – Claims Process
• The claims process, is much like a normal
personal insurance policy
• When there is an issue, you need to notify
your cyber insurance provider
• From there, they will assign a Claims
“adjuster” to your issue
• Based on the situation, the claims process
can take several paths
55. RISKBASE D SEC URITY.COM
What You Need to Know – Reporting
• Almost all policies have requirements about timely reporting:
• Within 30 days
• Within 60 days
• As soon as practical
• If a data breach happens, and you don’t notify the carrier in
time, it could lead to loads of problems, including no coverage
• Concerns about over reporting, are mostly overblown. Not
every incident, but if you think you have a data breach, report it.
56. RISKBASE D SEC URITY.COM
What You Need to Know – Payments
Cyber insurance policies typically can cover costs in two ways:
• Pay on behalf
• More common these days, and means that the insurance provider
will make the payments directly
• In most cases you have less control of the process, and cannot
select your vendors
• Reimbursement
• Only a few policies offer this setup at this point
• Allows insured to pick vendors, pay and submit reimbursement
request
57. RISKBASE D SEC URITY.COM
What You Need to Know – Panels
• Insurance carries are trying to keep prices low when they have to
respond to a claim
• They do this by working with vendors to get them approved on
“panels”
• Legal counsel
• Security vendors / forensics
• Notification, Monitoring, etc.
• Proactive services
• This is great because it makes insurance dollars stretch further
• It can be a huge concern, if you have preferred vendors and
relationships that you want to work with in the event of a data breach
58. RISKBASE D SEC URITY.COM
What You Need to Know – Risk Management
• Risk Management Services and “Breach Coach”
• Some carriers use their risk management portals as a way to triage
incidents
• They may require that you submit your initial issues via a portal that is
provided
• They may required that you select a “Breach Coach” and have an initial
conversation about the potential issue first
• Make sure you know the process before you need to use it!
59. RISKBASE D SEC URITY.COM
What You Need to Know – Quick Response
• With the rise of Cyber Insurance, it is clear incident
responders need to understand how this impacts them
and their processes.
• Most response team focus on quick actions to get
incidents under control
• This still is generally the right approach, but the
notification of claim needs to happen almost
immediately at the same time.
61. RISKBASE D SEC URITY.COM
Cyber Insurance in APAC
• Cyber Insurance has been predominately talked about
in context of the United States
• However, cyber insurance is available and growing in
APAC
• There hasn’t been much information produced thus far
outside the USA around number of claims, cause of loss,
and industries impacted
62. RISKBASE D SEC URITY.COM
State of Security - Japan
Source: https://www.cyberriskanalytics.com
63. RISKBASE D SEC URITY.COM
State of Security - Japan
Source: https://www.cyberriskanalytics.com
64. RISKBASE D SEC URITY.COM
State of Security - Japan
Source: https://www.cyberriskanalytics.com
65. RISKBASE D SEC URITY.COM
State of Security (SME) - Japan
Source: https://www.meti.go.jp/english/press/2019/0611_002.html
66. RISKBASE D SEC URITY.COM
Cyber Insurance in Japan
Source: https://asia.nikkei.com/Business/Business-trends/As-cyberattacks-mushroom-so-too-do-cyberinsurance-policies2
67. RISKBASE D SEC URITY.COM
• 04/18/2019 -- According to the report, the global cyber insurance market accounted for USD 4.2
billion in 2017 and is expected to reach USD 22.8 billion globally by 2024, growing at a CAGR of
around 27% between 2018 and 2024.
• North America was the leading regional player with the largest share for cyber insurance in
2017.
• In the Asia Pacific, Japan is expected to be the most attractive nation for cyber insurance market
owing to increasing cyber threats.
• In 2016, Japan contributed for almost 37% of the global internet security threats as compared
to a mere 3% in 2015.
• Thus, Asia Pacific market is anticipated to grow at a significant rate during the forecast period.
Source: https://insurancenewsnet.com/oarticle/cyber-insurance-market-growing-at-a-cagr-of-around-27-between-2018-and-2024
Cyber Insurance in Japan
69. RISKBASE D SEC URITY.COM
Recommended Actions
• Continue to invest in the appropriate security
controls
• We don’t want a Morale Hazard
• Define a response plan in case of a data breach
• Understand your exposures, data types stored
and amount (number of records)
70. RISKBASE D SEC URITY.COM
Recommended Actions
• Determine if you have a Cyber Liability insurance policy at
your organization (You NEED to know!)
• If not, discuss transferring a portion of risk in the form of
Cyber Liability insurance with management
• Determine/review the coverage that would be important to your
organization
• Determine amount of desired coverage
• Obtain a Cyber Liability quote and review the policy carefully!
• If appropriate, integrate Cyber Liability into your risk
management plan
71. RISKBASE D SEC URITY.COM
Recommended Actions
• Effective security programs cost $$$
• Yet, can still be compromised
• Cyber Liability cheaper than most controls and provides
serious financial coverage including security services
• While there are “gotchas”, there are legit policies out there
• If you are a CISO and you have a breach. What do you want
to say?
• Whoops? Sorry.
• We have a partner and coverage. Lets file a claim.
72. RISKBASE D SEC URITY.COM
Recommended Actions
• Be open to the idea that cyber insurance has a valid place as part of
risk management program
• Keep your cynic alive and well, but don’t be quick to see only the
negative
• Understand that cyber insurance for SME businesses is very
important for not just them
• For large companies cyber insurance can improve supply chain risks
73. RISKBASE D SEC URITY.COM
Incident Response
• Clear need for all organizations to develop an
incident response plan
• Develop the plan prior to having a need to use
it!
• Incident / breach response partners have
value:
• Included with Cyber Insurance
74. Integration of Cyber Insurance Into
A Risk Management Program
Discussion!
CODE BLUE
30 October, 2019
Tokyo
Jake Kouns
@jkouns / @riskbased
jake@riskbasedsecurity.com
www.riskbasedsecurity.com
Editor's Notes
The risk is there, and it’s not going away and the reality is that, when in comes to risk, there are basically 4 choices: Acceptance, Avoidance, Mitigate, Transfer.
No denying it, it’s an industry a lot of people love to hate. And there are just enough stories about denied claims and unpaid bills to fuel that perception. But insurance can bring a lot to the table when it comes to dealing with the financial fallout of a security breach.
Because it’s a commercial policy, cyber insurance isn’t quite the same thing as auto or homeowners insurance, but there are some similarities.
Third party – pays the other guy for his losses because of damage you cause them. First party – pays you fix your stuff like body work on your car or tree removal after a storm
The primary focus of these policies is responding to the legal obligations these events can create for the organization – on the “first party” side, that’s paying for notification / customer care services when personal information is compromised and on the “third party” side, that’s covering the cost of lawsuits, and depending on your POV, cost of defending regulatory investigations.
Cyber policies can take on a lot of the financial burden of a security event, but there are some things these policies can’t do.
Survey after survey reports that the biggest concern of senior leadership is the damage a breach can do to the organization’s reputation. Understandable why. It can be an embarrassing event and can have an impact on the bottom line for months, if not years. How many different jokes have you heard about Target being a Target??? Unfortunately, there is nothing an insurance policy – or any risk transfer method for that matter – can do to repair a tarnished public image or loss of customer confidence.
value of the lost data and in some situations, data or systems that has been entrusted to a business partner or vendor.
Despite the limitations, when we start to add up the many ways a policy can contribute to softening the financial blow of a security event, cyber insurance becomes an attractive method for off-setting the risk. What’s even better, insurance companies are still struggling to figure out how to price this – and that, combined with the intense competition – is good news. It means the cost can be surprisingly low. To be fair, that $5,000 mark won’t hold true for everyone, but for the most part it can cost less than other controls, including other transfer options. (pursuing recovery from a vendor isn’t cheap either)
And let’s face it, chances are it’s just a matter of time before the worse happens. Perfect security is unlikely.
Adding more layers of controls doesn’t necessarily result in ‘better’ security. At some point, the benefit doesn’t justify the cost – or worse, can actually have negative returns.
Despite the limitations, when we start to add up the many ways a policy can contribute to softening the financial blow of a security event, cyber insurance becomes an attractive method for off-setting the risk. What’s even better, insurance companies are still struggling to figure out how to price this – and that, combined with the intense competition – is good news. It means the cost can be surprisingly low. To be fair, that $5,000 mark won’t hold true for everyone, but for the most part it can cost less than other controls, including other transfer options. (pursuing recovery from a vendor isn’t cheap either)
Interest in cyber insurance is on the rise
The company says its cyber insurance plans do not cover “criminal acts,” which is the way that it is characterizing a cyber incident involving nearly $6 million in losses at multi-billion-dollar financial technology company SS&C Technologies. As a result, the insurance giant wants the lawsuit tossed.
Interest in cyber insurance is on the rise
Interest in cyber insurance is on the rise
Interest in cyber insurance is on the rise
What about the FBI or law enforcement tells you not to tell anyone?
In most cases you have less control of the process, and cannot select your vendors
Especially SMEs (small and medium entities) are lacking security resources, and delaying in implementation.
Government also concern in this segment, and pushing solutions collaborating together with private sectors.