Post on 29-Jan-2016
David KimmelCyberRiskPartners
CYBER RISK – A NEW FRONTIER
2
White House Summit on Cyber Security and Consumer Protection
February 13, 2015
3
Disclaimer
“Nothing exists except atoms and empty space;
everything else is opinion.”
– Democritus
Risk in the Digital Universe
4
Agenda
Cyber Risk Market Trends
Risk Transfer Market Dynamics and Opportunities
5
Agenda
Risk in the Digital Universe
Cyber Risk Market Trends
Risk Transfer Market Dynamics and Opportunities
6
Cyber Risk Is Really Not the “New New Thing”
Pre – 1990 1990 – 1999 2000 – 2005 2006 – 2010 2011 – 2013 2014 2015
Attacker
Defense
1981
1982
1983
1986
1989
1989
Elk Cloner Virus
First Internet ConnectedAppliance
Term “Virus” Coined
Brain Virus - IBM
Morris Worm
McAfee Anti-Virus
1992 Michelangelo Virus
1994
1995
1995
1997
1999
Late 1990s
Commercial Spam
Kevin Mitnick Arrested
Spyware
Trojans
Melissa Virus
Y2K Hysteria
Late1990s
Anti-SpamAnti-Spyware
2000s Worms / Bots Increase
2000 ILOVEYOUVirus
2000 ConfickerVirus
2001 Code RedVirus
2002 California SB 1386 Breach Notification Law
2003 Anonymous Formed
2005 ~$120mm Cyber Ins. Market
2005 ISO 27001
2005 Zero-Day Exploits
2005+ Phishing
2006 APT Term Coined
2005 – 2007
Albert Gonzalez – Credit Cards
2009 Heartland Payment Breach
Stuxnet Weapon
2009
2011 Sony PlayStation Breach
2013 ISO 27001 Update
2013 Executive Order 13636
2013 Target Breach
Index of Cyber Security set at 1,000
3/2011
2014 Sony Pictures Breach
2014 Target CEO Fired
2014 Increased Board Awareness
2014 ~$2bn Cyber Ins. Market
Cyber Security VC Funding >$2bn
2014
7/2015 Index of Cyber Security at 2,817
2015 OPM Breach
2015 ETF “HACK” All-Time High
2015 60+ Cyber Ins. Underwriters
Cyber Risk Pricing Models in Development
2015
Cyber Risk
1999 Some Cyber Insurance
NIST Framework
2014
7
Missing on the Timeline: War Games
The 1983 movie that turned geeks into stars and introduced the world to “hacking”
1995 2014
1995 2015
1995 2014
8
Dramatic Internet and Mobile Growth Has Paved the Way for Innovation . . .
People are now connected 24/7 with mobile devices
Internet Users Mobile Users
Top 15 Public Companies (market cap $bn)
1995 2015
Global Users Population Penetration
U.S. Insurance Companies Global Internet Companies
5.2bn
80mm+
73%
1%
$444
$115
$2,146
$17
Source: 2015 KPCB Internet Report. Market capitalizations are as of May 22, 2015 and December 31, 1995 respectively. Insurance company data from Moelis & Company and SNL.
25% CAGR
7% CAGR
25% CAGR
27% CAGR
Global Users
U.S. Users % of Global Users
Population Penetration
% Internet access of U.S. Pop.
1995 2014
1995 2014
1995 2014
1995 2014
$2.8bn
$35mm+
26% CAGR
10%
61%
(9%) CAGR
39%
0.6%
25% CAGR
84%
9%
12% CAGR
9
. . . and Explosive Data Generation, but It’s Only Just the Beginning
In just a minute each day (a):
Google gets over 4 million search queries
Twitter users tweet 277,000 times
Apples users download 48,000 apps
Email users send over 200 million messages
Facebook users share about 2.5 million pieces of content
Over 1 million Vines are watched
Estimated 44 trillion gigabytes in 2020 (b)
By 2014, more content created daily than the period between the birth of the world and 2003
Technical advances in collection and storage reduce storage costs, improve usability and increase incentives to capture and store data
A connected world generates increasingly huge amounts of content . . .
. . . and the Digital Universe expands to unfathomable proportions
(a) DOMO – Data Never Sleeps 2.0 and 3.0.(b) EMC Digital Universe with Research & Analysis by IDC, 2014.
2013 2020E
Data (Zettabytes) 4.4 44.0
% Useful 22% 37%
Mature Markets 60% 40%
Emerging Markets 40% 60%
% of Available Storage Capacity 33% 15%
Cloud Related 20% 40%
Digital Universe Statistics (b)
“Ten years from now, when we look back at how this era of Big Data evolved . . . we will be stunned at how uninformed we used to be when we made decisions.”
– Billy Bosworth, DataStax CEO
10
Exponential Growth in Devices and Users
Source: Morgan Stanley Mobile Internet Report (12/09) and 2014 KPCB Internet Trend Report.
Each new computing cycle typically generates around 10x the installed base of the previous cycle
The Digital Revolution Is All Downhill From Here
11
Mobile is the device of choice
An always connected and inter-connected world, full of transactions, interactions and observations
Digital transformation and massive networks are driving a new era of data and analytics
Smoke Detector / Nest Cartoon
12
Privacy and Liability Implications Are Staggering
13
Cyber Insurance Is the Last Line of Defense When Technology Fails
The Digital Universe will be dependent upon cyber risk transfer and security
Greater Cyber Risk /
Potential for More Breaches
More Attack
Surfaces
Cloud Computing
Cheaper Data Storage
Social Networks
Continued Internet Growth
Mobile IoT Big Data
You are here
Rapid Tech Innovation and Explosive Data
Growth
4.4 zbin 2013 (a)
Data
44.0 zbin 2020 (a)
(a) Zettabytes. From EMC Digital Universe with Research & Analysis by IDC, 2014.
CYBER SECURITY
CYBER INSURANCE
14
Agenda
Risk in the Digital Universe
Cyber Risk Market Trends
Risk Transfer Market Dynamics and Opportunities
15
Tectonic Shifts Create the Perfect Storm
Source: Palo Alto Networks.
16
A Ubiquitous Threat
“I am convinced that there are only two types of
companies: those that have been hacked and those that
will be. And even they are converging into one category:
companies that have been hacked and will be hacked
again.”
– Robert Mueller, Former FBI Director
17
Cyber Threat Landscape Is Evolving Rapidly . . .
Threat Actors
ThreatVectors
Targeted Informationand Systems
Hackers
Organized Crime
Nation States
State Sponsored
Insiders Malicious Accidental
Hacktivists / Anonymous
Terrorists
Competitors
Third Party Vendors
Hacking
Malware
Device Loss and Theft
Social Engineering
Skimming
Physical Security
Errors by Vendors
Intellectual Property
Transactional and Corporate Records
Data Credit Card Healthcare Employee Customer Financial Other Personal, Operational or Proprietary
Data = Cash
Sabotage: “Philosophical” Point, Nuisance or Revenge
Espionage: Classified / National Security Information Military and / or Infrastructure
Cyber threats target different networks (i.e., personal, corporate, military and infrastructure), with differing network defense goals
18
. . . with Differing Attack Motivations
Cyber threat actors are exploiting networks for an ever-widening array of economic and political objectives
Nuisance Data Theft Cyber Crime Hacktivism Destructive Attack
ObjectiveAccess &
PropagationEconomic,
Political AdvantageFinancial Gain
Defamation, Press & Policy
Disrupt Operations
Example Botnets & SpamAdvanced Persistent
Threat GroupsCredit Card Theft
Website Defacements
Delete Data
Targeted
Character Often Automated PersistentFrequently
OpportunisticConspicuous Conflict Driven
Source: Mandiant – “M-Trends 2015.”
19
Attribution Remains Core to the Problem
Pinpointing the bad actor and the appropriate response is problematic
Source: INFOSEC Institute.
Cyber Attack
The Attribution Problem
AnonymityLow
Deterrence
20
Hackers Take Control of Moving Jeep
Ethical hackers expose wireless networks as the weakest link in high-tech vehicles
21
Cyber “Fun” Facts
205 Median # of days to discover a breach (a)
2,982 Longest presence in days (a)
60% Spam volume as a % of email traffic (b)
1/965 Emails containing a phishing attack (b)
69% Victims notified by an external entity (a)
348mm Identities exposed via breaches in 2014
(b)
45% Senior executives say they are attacked hourly or daily (c)
113% Increase in ransomware attacks in 2014(b)
262% / Increase in number of iOS / Android 188% vulnerabilities since 2011(d)
60% Employees circumvent security features on their mobile devices (c)
38% Mobile users experiencing mobile cybercime in past 12 months (b)
68% U.S. companies permit employee-owned devices in the workplace (c)
25% Corporate traffic bypassing perimeter 2018E (d)
24 Zero-Day vulnerabilities (all-time high) (b)
(a) Source: Mandiant – “M-Trends 2015.”(b) Source: Symantec, Internet Security Report 2015.(c) Source: Ponemon Institute.(d) Source: FireEye - “The Move to Mobile;” August 18, 2015.
22
Cyber Risk Increases Unabatedly
Index of Cyber Security (a)
1,000
2,265
2,817
0
500
1,000
1,500
2,000
2,500
3,000
March 2011 August 2014 July 2015
The Index of Cyber Security (ICS) is a sentiment-based measure of risk to the corporate, industrial, and governmental infrastructure from a spectrum of cybersecurity threats
ICS aggregates the views of information security industry professionals
Chief risk officers and their direct reports
Chief information security officers and their direct reports
Security product vendors’ chief scientists or equivalent
Selected academicians engaged in field work
Over the last 12 months, the index has increased 24%
Since inception in March 2011, the index has increased each and every month, and almost tripled
(a) www.cybersecurityindex.org. Co-publishers: Dan Geer and Mukul Pareek.
23
The Cyber Conundrum
Huge Cyber Security Outlays…
…Have Not Secured IT Systems…
…Resulting in Dramatic Cyber Crime Growth
and Costs
$77 billion expected to be spent globally in 2015 (a)
Cyber security market estimated to grow to $170 billion by 2020 (b)
70% spending greater than 5% of their IT budgets on security (c)
Billions spent on security solutions that top 20% of cyber actors can bypass with a cheap laptop (d)
> 95% of organizations are still compromised (e)
Top 20% of cyber actors comprised of:
Elite hacker groups
Organized crime
Social engineers
Nation-state actors
Attacks have multiplied in all regions
Challenging legacy security model / perimeter defense
Losses often estimated in hundreds of billions of dollars (f)
Top 20% cause 90% of the damage (d)
Approximately 1 year detection time
$250 billion in IP theft
$9 million average response cost
Increasing recognition that nothing can be made 100% secure, and movement towards “Cyber Resiliency”
(a) Gartner estimate on global spend.(b) Markets & Markets report.(c) CyberEdge Group – 2015 Cyberthreat Defense Report.(d) CyberIQ.(e) FireEye.(f) For Instance, FireEye estimate of $445 billion lost annually.
Cyber security is critical, but the ROI is complex
24
The Problem Is Pervasive
Since 2005, 10,570 studied cyber events / data security breaches (a)
2014 was a record year (a)
Over 579 million records exposed (41% increase over 2013)
Vast majority of breaches attacked personal information
Hacking most common source
Retail sector hit hardest with dramatic increase in number of compromises and records exposed
The 2014 Sony destructive attack exposed “inner workings,” a departure from historical attack modes on corporates
Lasting financial consequences based on CyberFactors tail analysis
Forecast of 14% CAGR through 2019 (b)
Most breaches are never publicly reported and many simply go undetected
(a) Source: CyberFactors.(b) Source: Gartner Research 2013.
25
Data Breaches in the Headlines
Note: Bubble size represents number of records compromised.Source: CyberFactors.
Card Payment Solutions40,000,000
AOL20,000,000
TJX Companies100,000,000
Heartland Payment Systems
130,000,000
Rock You!32,000,000
NationalArchiveRecords
76,000,000
Sony (PSN)101,000,000
Zappos24,000,000
Formspring28,000,000
Living Social50,000,000
Evernote50,000,000
Ebay145,000,000
Adobe152,000,000
Home Depot109,000,000
JP Morgan83,000,000
Target70,000,000
Sony (Inner
Workings)
Anthem78,800,00
OPM25,700,000
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
26
Data Breaches by Sector
Frequency of cyber events and event severity varies significantly by industry
Source: CyberFactors Data 2005 – 2014.
0
400
800
1,200
1,600
2,000
0
500
1,000
1,500
2,000
2,500
Health-care
Gov’t Fin.Services
Education Tech. Services Retail Hosp-itality
Non-Profit
Manu-facturing
Media Comm./ISPs
Energy Trans-port.
Conglo-merate
Indust.Goods
A&D Individ-ual
Un-known
Agri-culture
Const-ruction
Num
ber
of C
yber
Eve
nts
Average C
omprom
ised Records P
er Event (in thousands)
2005 – 2014
2005 - 2014 (All Industries)
Number of Cyber Events: 10,230
Avg. Compromised Records Per Event: 238,225
27
Don’t Underestimate Human Error
28
Cyber Security Is Now in the Boardroom . . .
(a) “Cybersecurity in the Boardroom – a 2015 Survey,” NYSE Governance Services and Veracode; survey of corporate board members.
How confident are you that your company is properly secured against cyber attacks? (a)
What is your biggest fear regarding cyber attacks? (a)
1 Brand damage due to customer loss
2 Cost of responding to breach
3 Loss of competitive advantage due to corporate espionage
4 Regulatory and compliance violations
5 Other
Less than Confident
66%
Very Confident 4%
Confident29%
29
. . . as a Critical Risk Management Priority
Cyber security is a major governance issue with reputational, operational and financial implications
The overall cyber risk environment, the Target breach and C-suite shake-up, and lawsuits (e.g., Wyndham, Target) have heightened board awareness
With cyber in the spotlight, board members must:
Optimize cyber security governance principles and communication with senior management, IT and cyber security professionals
Establish clear plans, both for cyber security and data breach response
As cyber risk moves to measurement in balance sheet terms, boards will become even more focused
Boards are increasingly important in the cyber security discussion, including the consideration of cyber insurance
Cyber risk is an enterprise risk management concern
30
Growing Regulatory, Legislative and Legal Spotlight
Given personal, corporate and national security ramifications of cyber risk, there are a myriad of interested parties
These trends and resulting standards will improve cyber risk pricing and enhance the attractiveness of cyber insurance
Increasing Regulation, Focus and Legal
Exposure
Federal Laws? (TBD)
FTC
Other Gov’t (HHS, OCC, FCC) SEC DOJ / FBI
(FBI, NSD, etc.)
DHS (NPPD, USSS, ICE)
DoD (NSA, USCYBERCOM, etc.)
Info Sharing (DHS + FBI; Industry)
Class Action / Derivative Suits
CTIIC (a)Executive Order / NIST Framework
State Laws(Breach Notification, Other)
State AG
(a) Cyber Threat Intelligence Integration Center, an intelligence unit announced by the White House.
31
Agenda
Risk in the Digital Universe
Cyber Risk Market Trends
Risk Transfer Market Dynamics and Opportunities
32
The Cyber Insurance Market Today . . .
Estimated Global Cyber Insurance Premium
Growing market / hot topic
60+ underwriters
Increasing capacity and limits
Capacity aimed at larger insureds
Relatively under-penetrated SME market
Increasing sophistication, underwriting and distribution
Sales cycle is shortening / higher binding percentage
However, still a small market on an absolute and relative basis
1999 2005 2013 2014 2020E(a) (b) (b) (c)
(a) Source: AIG.(b) Source: The Betterley Report, D&P Analysis.(c) Source: ABI Research.
(a)
$10 Billion
$2 Billion
$1Billion
$120MillionNM
33
Lack of standardized coverages and insurance product information
Cumbersome application process
Denial: many have not been willing to recognize risk or believe already covered in standard policies
Senior management / boards historically lacked understanding of exposures
Limited provision in corporate budgets for cyber insurance
Cyber risk pricing models not well-developed
Limited historical data
Evolving, iterative nature of necessary data
Risk aggregation concerns (“cyber hurricane”)
Varying levels of sophistication in the underwriting and distribution communities
. . . Reflects Several Historical Challenges
34
The Cyber Risk Transfer Market Continues to Evolve
A variety of risk modeling initiatives in cyber
Increasing amounts of diverse, accurate and relevant historical breach data
Expanding sample size of claims data (both public and proprietary)
Refinements in IT security rating engines / online risk assessment tools
Improving standards (e.g., NIST)
Additional information / data sources
Threat analytics
Information sharing – public / private collaboration
Advancements in cyber security technology, tactics, and awareness
New knowledge/strategies to mitigate aggregation risk exposures
Movement towards standardization in rates and forms
Market depth with maturation: reinsurance, cat bonds, cyber captives, SPVs and sidecars
Risk Modelers
35
Cyber Insurance – a Fast-Growing Specialty Line
Explosion of data, increase in attack surfaces and attackers, and ongoing attribution challenges
Senior management and board pressure
Focus and publicity / increased awareness and education
Substantial SME market opportunity
Regulatory and legal trends
Market need for a holistic solution
Insurance industry capabilities – in unique position to help shape the dialogue
Enhanced actuarial data and approaches
Government initiatives around information sharing and threat collaboration
Cyber insurance will be an expected business expense and purchased concurrently with other standard coverages
Further Questions / Topics for Discussion
Artificial Intelligence / Machine Learning
Attribution
Big Data
Breach Reporting – Mandatory?
Cloud
Code as Regulator
Cost of a Networked World
Data Integrity
Federal Backstop (e.g., TRIA)
Federal Data Breach Law
Intangibles – Valuation / Accounting
Internet Governance
Net Neutrality
New Internet / New Design?
Open Source Trends
Privacy / Right to be Forgotten
Public / Private Collaboration
Quantum Computing
Reputational Risk (See Intangibles)
Shadow / Parallel Networks
Software Security – Like Milk or Wine?
Who “Owns” the Data?
36
37
Thank You for Your Time
“Risk and time are opposite sides of the same coin, for if
there were no tomorrow there would be no risk. Time
transforms risk, and the nature of risk is shaped by the
time horizon: the future is the playing field.”
– Peter Bernstein, “Against the Gods”
Contact Us
For further information, please contact:
David KimmelChief Executive OfficerCyberRiskPartners(917) 664-8798david@cyberriskpartners.com
38
39
APPENDIX
40
Source: DOMO – Data Never Sleeps 3.0.
[ ]
Source: Harvard Business School.Source: DOMO – Data Never Sleeps 2.0.
42
Four Decades of Digital Transformation
Source: U.S. Bureau of Economic Analysis and Harvard Business School.
IT Expenditure as Percentage of Total U.S. Capital Expenditure
43
There Is a Rapidly Increasing Number of Distributed Digital Devices . . .
Source: Gartner, IDC, Strategy Analytics, Machina Research, company filings, BN estimates and Harvard Business School.
Global Internet Device Installed Base Forecast
44
. . . Leading to an Explosion of Available Digitized Information . . .
Source: 2014 KPCB Internet Trend Report, Morgan Stanley Research and Harvard Business School.
Global Digital Information Created & Shared, 2005 – 2015E
45
. . . with Massive Computing Power Universally Accessible in the Cloud
The Cloud will take us to Infinity and Beyond: the marginal cost of cloud computing is going to “zero”
Source: Harvard Business School.
46
Index of Cyber Security
The Index of Cyber Security is a sentiment-based measure of the risk to the corporate industrial, and governmental information infrastructure from a spectrum of cyber security threats, as based on the aggregate view of information security professionals
2,008 2,045
2,080
2,139 2,173
2,197 2,222
2,265
2,334
2,395 2,446
2,513 2,556
2,604 2,646
2,674 2,717
2,764 2,817
2.08%
1.83%
1.71%
2.82%
1.55%
1.13%1.12%
1.92%
3.01%
2.56%
2.12%
2.70%
1.67%
1.87%
1.58%
1.07%
1.60%1.70%
1.92%
0.50%
1.00%
1.50%
2.00%
2.50%
3.00%
3.50%
1,700
1,900
2,100
2,300
2,500
2,700
2,900
Rate of Change Over Previous Month
Index Value
Jan.2014
Feb.2014
Mar.2014
April2014
May2014
June2014
July2014
Aug.2014
Sep.2014
Oct.2014
Nov.2014
Dec.2014
Jan.2015
*ICS VALUE, January 2015= 2556 (BASE = 1000, MARCH 2011). Co-Publishers: Dan Geer and Mukul Pareek. www.cybersecurityindex.org
Feb.2015
Mar.2015
April2015
May2015
June2015
July2015
47
Where Does Your Data Go?
Source: Latanya Sweeney, The Data Map and Harvard University.
As health records go digital, you might by surprised where they end up and who buys them