U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n 48 th Annual Conference Orlando, FL September 23-27, 2017 1 Sandy Mitchell Director of Insurance Massachusetts Institute of Technology Carmelina Borsellino Vice President, Manager, Cyber Hazards, FM Global Amy Daley Vice President, Education Practice Leader, FM Global First Party Cyber: Mitigating the Risk LAUNCHING RISK INTO THE FUTURE URMIA 2017 • Orlando, FL #URMIA2017 Contrast the results of holistic cyber risk prevention with those of risk transfer alone. Understand the interplay between first-party property and third-party cyber liability coverage. Get practical property risk solutions that thwart cyber- related damage to property and increase resiliency. Learning Objectives
27
Embed
First Party Cyber: Mitigating the Risk - Schedschd.ws/hosted_files/urmia48thannualconference2017/7f/Presentation... · Increased sophistication impacting all types of clients Cyber
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n
48th Annual ConferenceOrlando, FL September 23-27, 2017
1
Sandy MitchellDirector of InsuranceMassachusetts Institute of Technology
Carmelina BorsellinoVice President, Manager, Cyber Hazards, FM Global
Amy DaleyVice President, Education Practice Leader, FM Global
First Party Cyber:Mitigating the Risk
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
Contrast the results of holistic cyber risk prevention with those of risk transfer alone.
Understand the interplay between first-party property and third-party cyber liability coverage.
Get practical property risk solutions that thwart cyber-related damage to property and increase resiliency.
Learning Objectives
U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n
48th Annual ConferenceOrlando, FL September 23-27, 2017
2
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
3
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
FM Global’s Premium Distribution
Manufacturing
Real Estate
Healthcare/EdPower Generation
Public BuildingsChemical
FoodPulp and PaperPharmaceutical
RetailElectronics
Other (mining, molten materials, public entity, semiconductors and more)
21%
9%
8%
7%
7%
7%
6.92%
6.13%4.58%3.79%3.55%
14%
612 Accounts$436M Premium
U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n
48th Annual ConferenceOrlando, FL September 23-27, 2017
3
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
Identify system owner and Quarantine host’s address, if necessary
U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n
48th Annual ConferenceOrlando, FL September 23-27, 2017
9
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
MIT – 2016 Cyber Attacks
17
Attacks Protection Detection Response
Ransomware Security awareness; Anti-malware
Alerts from Provider;Reports from users
Restore from system & data backups
Phishing/Social Engineering
Phishing awareness;Spam filtering;
Two-factor-authentication (Duo)
Semi-automated review of activity;
Reports from users
Quarantine IP address;
Identify victims through logs;
Suspend accounts
Website Defacements Vulnerability scanning
Reports from Provider & users
Identify system owner and notify
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
Cyber risk is more than an IT issue.It’s an enterprise risk.
U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n
48th Annual ConferenceOrlando, FL September 23-27, 2017
10
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
Cyber Insurance Market
Cyber Insurance Market Maturity Curve
Current state of cyber insurance market
Market is rapidly growing and evolving
DeclineMaturityGrowth
2020$7.5B
$2.5B market
2025$20+B
Introductory
Sal
es
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
Cyber Market Trends
Outsourcing Mitigation StrategiesInsurers are partnering with security experts
Gaining ConsistencyCyber carries now include property coveragein their stand alone policies
Lacking ClarityCyber excluded from property policiesConfusion over primary/excess coverage
U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n
48th Annual ConferenceOrlando, FL September 23-27, 2017
11
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
Evolution
Financial Gain Business Disruption Property Damage
3rd party 1st party and 3rd party
2010-2014 2015-2017 2020
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
9/18/2017 22
The majority of cyber losses are preventable.
U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n
48th Annual ConferenceOrlando, FL September 23-27, 2017
12
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
Practical, Research-Based
Solutions
1101100010110100111000
010010
De-Mystifying Cyber Risk
Learn from the Experience of MIT
Learn from the Experience of MIT
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA201724
MIT
U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n
48th Annual ConferenceOrlando, FL September 23-27, 2017
13
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
MIT
25
2016 Cyber Attacks
Evolving Threats
Ongoing Risk Management
and Mitigation
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
MIT – 2016 Cyber AttacksIntrusion Attempt Totals (24 hr period)
26
U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n
48th Annual ConferenceOrlando, FL September 23-27, 2017
14
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
MIT – Real Time Heat Map Showing Campus Targets
27
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
MIT – Evolving Threats
28
Data Breach:Destruction, modification, theft, or disclosure of information
Top concern: Identity theft
Attack vector: Social engineering
System Integrity Breach:Denial of use, interruption of services, or loss of control Top concern: DDoS
(Distributed Denial of Service) botnets Emerging concern: Breach of
IoT (Internet-of-things) sensors, devices, and control systems
U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n
48th Annual ConferenceOrlando, FL September 23-27, 2017
15
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
MIT – IT Risk Management
29
How do we respond quickly and efficiently to mitigate/manage and minimize the loss(es) that occur
Mapping to Risk Management Framework
Action Required Reactive Planned Managed
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
MIT – Ongoing Mitigation Efforts
30
Identify: What is there to protect?
Protect: Defensive measures, safeguards available
2FA, etc.
Detect: Real-time monitoring e.g., adaptive machine-learning, etc.
Respond: Take rapid action /response
(via automation if possible)
Recover: Plan for resilience
U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n
48th Annual ConferenceOrlando, FL September 23-27, 2017
16
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
MIT – Ongoing Mitigation Efforts
31
People Strengthening our information security awareness program & expanding its scope beyond personal-information-requiring-notification (PIRN) data
Expanding the capabilities of the Information Security Office
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
MIT – Ongoing Mitigation Efforts
32
Process Enhancing the security process guidelines
published for our community at the Information Protection @ MIT website
Decreasing vulnerability windows by increasing the use of internal vulnerability scanning, and by automating responses to events
U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n
48th Annual ConferenceOrlando, FL September 23-27, 2017
17
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
MIT – Ongoing Mitigation Efforts
33
Technology Expanding the use of network segmentation, 2FA, encryption, and automated data backup
Expanding the use of real-time analytics for identification of “out-of-the-ordinary” activities
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
Identify: What is There to Protect
34
Reputational, financial, and physical harm
Confidentialityunauthorized disclosure
Integrity unauthorized modification
Availabilityaccess to resources
Personally Identifiable Information (PII) Denial of Service
Building Management Systems (IoT)
Website defacement
Research data
Admissions decisions
Credit Card Information (PCI-DSS)
Health Insurance Information (HIPAA)
U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n
48th Annual ConferenceOrlando, FL September 23-27, 2017
18
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
MIT – Identify Data Classification
35
Levels of information based on risk
Security controls for each level
Education/documentation for each control
Applications allowed at each level
In progress, goal is to have levels and controls approved by Fall 2017
LOW, MODERATE, HIGH
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
MIT – Data Classification cont.
36
LOW: Includes information that the Institute has chosen not to disclose,
but which would not result in material harm. Includes public information – good security practices should still
be followed to protect the integrity and availability of information.
MODERATE Information is not meant to be freely available to the general
public, or to the MIT community without access controls. Loss of confidentiality, integrity, or availability of these assets
could reasonably be expected to result in legal liability, reputational damage, or potential for other types of harm.
U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n
48th Annual ConferenceOrlando, FL September 23-27, 2017
19
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
MIT – Data Classification cont.
37
HIGH Information subject to legal or regulatory requirements
requiring its proper safeguarding and handling, including possible notification in the event of a breach.
The loss of confidentiality, integrity, or availability of these assets could reasonably be expected to result in serious harm to individuals or the Institute.
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
Practical, Research-Based
Solutions
1101100010110100111000
010010
De-Mystifying Cyber Risk
Practical, Research-Based Solutions
Learn from the Experience of MIT
U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n
48th Annual ConferenceOrlando, FL September 23-27, 2017
20
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
The Next Big Thing
A4
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
Cyber Risk Assessment
RiskQuality
Likelihoodand Severity
IndustrialControl
SystemsPhysical Security
InformationSecurity
Slide 39
A4 Need to use an example that is more education relatedAuthor, 6/16/2017
U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n
48th Annual ConferenceOrlando, FL September 23-27, 2017
21
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017