Post on 14-Aug-2020
Why are the Lights Off?! Recognizing and Managing Your Cyber Risk Exposures
Prepared by Jessica Foster, J.D. Legal Consultant, Financial Services Group Aon
April 12, 2019
2
Agenda
1. Part I: Cyber Risk 2. Part II: The Cost of Loss 3. Part III: Cyber Risk Management
3
Part I: Cyber Risk Business interruption, Cyber extortion, Internet of Things (IoT), and beyond
4
The Expanding Nature of Cyber Risks
Universal issue – Irrespective size, structure, industry sector and location of
organization Malicious threats still prevalent
– Stealth hackers, malware, extortionist, rogue contractors, disgruntled IT staffer
Prevalence of non-malicious incidents– Employee mistakes (lost laptop)– Marketing mishap: innocent customer data leaks– Vendor leak
Network operation and sharing trends– Points of failure are multiplied due to trends of outsourcing
computing needs, including cloud computing– Massive dependencies and data-sharing between business
partners
5
Criminal Activity is Rising
* NetDiligence 2018 Cyber Claims Study
6
Cyber Breach Statistics
The average Canadian company finds itself under attack by hackers more than once a day
Almost 670 million new malware variants were observed in 2017, an increase of 87% from the number of variants observed in 2016 (357 million)
In Canada alone, cybersecurity breaches cost companies a total of more than $9.6 billion in recovery in the past year
On average, it took more than five months to detect that an incident occurred and almost two months to contain the incident
Approximately 25% of data breaches have insider involvement In 2016, Construction Dive reported a 400% increase in ransomware attacks
on the construction industry over the previous year More than 75% of companies in the construction, engineering & infrastructure
industries have experienced a cyber-incident within the last 12 months
* Statistics from: Symantec 2017 Internet Security Threat Report; The Cyber Security Readiness of Canadian Organizations, 2018, Scalar; NTT Security; NetDiligence 2017 Cyber Claims Study; Forrester Research, Inc.
7
Cyber Crime Motivations
Motivations of cyber criminals are typically not clear
Financial: steal critical confidential third party information and then sell it to rogue states or competitors on the internet
Political: cyber criminals may have political or activist motivations due to: the perceived environmental impact of the organization or industry’s operations; the types of projects the company is involved in; the manner in which the end projects are used
Reconnaissance: hackers may be trying to determine where network vulnerabilities are, what systems can be penetrated and what information can be accessed – This information may then be used by cyber criminals at a later date
8
Most Common Organizational Cyber Exposures
Employee information: names, addresses, SIN numbers, payroll information (including financial information), HR records
– Even if payroll processing is outsourced to a third party (i.e. ADP)
Individual customer or client information: Personally identifiable information (PII) (i.e. names, addresses), financial information
Corporate confidential information: Third-party intellectual property, M&A documents
Business interruption: Security breaches causing operational downtime– Dependent/contingent BI: key service providers experience security breaches that in turn interrupt
the insured’s business
Cyber extortion: Threats made against an organization to disclose confidential information
Physical Damage to Property or Personal Injury: Resulting from a cyber breach (i.e. Internet of Things (IoT) exposures)
9
Variables Impacting Cyber Risk in the Construction Industry
High-profile, large-scale projects – Construction companies may be targeted for politically motivated reasons,
with hackers attempting to gain information related to high-profile, large-scale projects
– Hackers looking to gain access to valuable data that can be exploited to obtain money or a competitive advantage
Interconnected systems – I.e. shared procedural or structural models, design and construction
software systems (such as BIM, Procor and Revit), Smart Building monitoring systems or other systems that have internet-connected capabilities or can be accessed remotely
High degree of dependency on electronic processes and computer networks– Company may be vulnerable to cyber extortion attacks and business
interruption
10
Organization-specific Variables Impacting Cyber Risk
1. Budget Constraints– Impact on ability to train staff, maintain, upgrade, monitor and test computer
systems
2. Outsourcing of IT Operations– Myth debunked – if you outsource data storage/processing, you are not
protected from the consequences of a data breach!
– Outsourcing a large percentage of IT operations to third parties (i.e. cloud service providers) can increase risk in some cases
3. Target for Hackers– Local governments, energy and utility companies, transportation and other
industries can be a target for hackers and extortionists
4. Public Scrutiny– Municipal governments and Crown corporations tend to be subject to
greater public scrutiny with respect to cybersecurity and the use and protection of personal identifiable information
5. Long Information Retention Periods
11
Cyber Exposures for Construction Companies- Business Interruption and Reputation
Construction companies face huge financial and reputational consequences if operations cease causing a business interruption (BI) – Risk of delays to project completion with potential financial penalties – Additional expenses to get the business back up and running – Mass chaos and disruption, with the potential to negatively affect the
company’s reputation moving forward
Business interruption in the cyber context can occur for any number of reasons: – Cyber security breach/cyber attack: I.e. Ransomware penetrates the
company’s network, locking out employees and suspending all services (direct BI)
– A vendor, service provider, subcontractor or other critical third party experiences a cyber incident that suspends the company’s operations (contingent BI)
– A software update goes awry and freezes the company’s systems and operations (systems failure BI)
12
Cyber Exposures for Construction Companies- Bodily Injury & Property Damage
Internet of Things (IoT) risk is high for construction companies
Any system that runs electronically can have access points that may be exploited by third parties causing bodily injury or property damage (and, likely, business interruption)
Example: – In 2014, hackers penetrated a German steel mill’s network using a spear-
phishing email scheme, entered its enterprise systems, and from there accessed its industrial control systems. After the hackers took control of the facility’s control systems, mill operators were unable to shut down a blast furnace, resulting in massive damage to the equipment.
13
Cyber Exposures for Construction Companies – Third Party
Construction companies generally possess large amounts of non-personal confidential information of third parties in their care, custody and control – i.e. Technology, IP, recipes, specifications, plans, diagrams, etc. – If confidential information is lost or exposed, companies could face a civil
lawsuit resulting in substantial defence costs, settlements or judgments
Construction companies, like other organizations, have employees and will likely obtain and store a substantial amount of their employees’ personal identifiable information (PII) – i.e. Payroll and health information, employment history, financial
information, SIN number, performance reviews, etc. – If PII in the company’s care, custody and control is compromised, the
organization could face: (1) a civil lawsuit resulting in substantial defence costs, settlements or judgments, and/or (2) fines levied by a regulator as a result of an investigatory/regulatory proceeding
14
Cyber Exposures for Construction Companies- Cyber Extortion
Due to the nature of their operations, construction companies are also a valuable target for cyber extortionists– I.e. Malware penetrates the network and locks the insured company out of
all systems; cyber criminal demands payment to “unlock” system
As discussed, the financial and reputational consequences of resulting service and business interruption, and potential delays to project completion, are huge
Extortionists may demand large ransom payments to regain access to systems
Costs involved can include: – Extortion amount – Additional costs to terminate threat (i.e. IT forensic team)
15
Part II: The Cost of Loss
16
Causes of Cyber Privacy Breaches – 2013 - 2017
* NetDiligence 2018 Cyber Claims Study
17
Causes of Cyber Privacy Breaches – 2017
* NetDiligence 2018 Cyber Claims Study
18
Costs Incurred Following a Cyber Breach
First Party CostsOrganization’s out-of-pocket costs: Damage to data and property Recovery and restoration
expenses Loss of intellectual property Business interruption Internal investigation Lost employee productivity Notification expenses Interaction with regulators Call-centre expenses Website maintenance Identity theft and credit
monitoring Public relations
Third Party Costs Civil suits:
From business partners (i.e. financial institutions for credit card notification and recall expenses)
From employees and the general public for identity theft, mental anguish claims
Compensatory damages Legal fees
Regulatory investigations and proceedings: From privacy commissioners Fines, penalties, and civil
awards Costs to comply with orders
19
Real Claim Payouts: First Party vs. Third Party Costs
Total claims payouts by type of cost (N= $76M in reported claim expenses)
* NetDiligence 2016 Cyber Claims Study
20
Cost of a Cyber Breach – Global vs. Canada
Out of 477 participating global companies spanning 17 industry sectors, thefollowing costs were identified:– Average total cost of a data breach: $3.86M (increased 6.4% from 2017)– Average cost per lost or stolen record: $148 (increased 4.8% from 2017)
Out of 28 participating Canadian companies, the following costs wereidentified:– Average total cost of a data breach: $4.74M
• Third highest overall, behind only the U.S. and Middle East– Average cost per lost or stolen record: $202
• Second highest overall, behind only the U.S.
*Data obtained from the Ponemon Institute LLC: “2018 Cost of a Data Breach Study: Global Overview ”
21
Cost of Loss – Industrial Manufacturing (per record cost $)
As we can see from the following diagram, companies in the Industrial sector had a percapita data breach cost above the overall global mean of $148:
*Per capita cost is defined as the total cost of a data breach divided by the size of the data breach in terms of the number of lost or stolenrecords.
*Data obtained from the Ponemon Institute LLC: “2018 Cost of a Data Breach Study: Global Overview ”
22
Cost of Loss – Industry (overall $)
* NetDiligence 2018 Cyber Claims Study
23
Part III: Cyber Risk Management IT Solutions, Contractual Risk Transfer, Organizational Best Practices,
Insurance Risk Transfer and Procuring Insurance
24
IT Solutions Network Security
– Review firewall configurations and ensure only allowed ports, services and internet protocol addresses are communicating with your network
– Segregate payment processing networks from other networks– Apply access control lists (ACLs) on the router configuration to limit unauthorized
traffic to payment processing– Create strict ACLs segmenting public-facing systems that house payment card data– Implement data leakage prevention/detection tools to detect and help prevent data
ex-filtration– Implement tools to detect anomalous network traffic and behaviour by legitimate
users Administrative Access
– Use two-factor authentication when accessing payment processing networks (even if a virtual private network is used, it is important that 2FA is implemented to help mitigate key-logger or credential dumping attacks)
– Limit administrative privileges for users and applications– Periodically review systems (local and domain controllers) for unknown and dormant
users Encryption
25
Contractual Risk Transfer If a company has service contracts, there are a number of things to consider:
– Limit of liability • Indemnification
– Where are the data centers? – Will service provider be required to purchase cyber insurance? – Strength of security utilized by third party vendors and/or any subcontractors
• Will client be notified of and have the opportunity to approve the service provider’s subcontractors?
• Security audits permitted?• What verifications must service providers give? • Employee background checks required?
– Responsibilities in the event of a cyber breach• Responsibility for notification• Service provider’s obligation to mitigate• What laws apply?
– Termination of the contract• Data returned or destroyed?
26
Organizational Best Practices
Update computer systems regularly – set a schedule to make it automatic Change passwords regularly – install software that requires this or establish
a policy Establish policies and procedures around the collection, use, storage and
destruction of confidential information and make them known to all employees at the company
Educate employees about cyber risk – how to practice safe internet usage, understand the signs of a cyber scam, the importance of following established protocols
Develop a cyber breach response plan – identify the third party experts that you will use to fix the breach and mitigate damages
Have staff secure their workstations and remove technology (i.e. laptops) when they are not using their devices
Back up important information regularly – consider off-site storage (i.e. cloud storage)
Know and understand your cyber risks – what can be handled internally, what costs or time delays can your company absorb, are you transferring the risk to the extent possible
27
Risk Management Practices and the Impact on Cost of Loss Impact of risk management practices or other response actions on the cost of a data
breach– i.e. Employee training reduces the average per capita cost of a data breach by $9.30. In contrast,
extensive use of IoT devices increases the average per capita cost by $5.40.
*Ponemon Institute LLC: “2018 Cost of a Data Breach Study: Global Overview
28
However, even if Cyber Risk Mgmt. Practices are implemented flawlessly…
29
What Does a Cyber Liability Insurance Policy Cover: First Party Costs
Privacy breach costs– Notification costs (not required to
be statutorily mandated)– Legal advice– IT forensics (sometimes needed
to determine whether a breach has even taken place)
– PR and brand damage management
– Credit and Identity Theft monitoring for affected individuals
Business interruption – Extra expenses incurred because
of loss– Ordinary payroll expenses while
business interruption is ongoing– Lost income
Digital asset restoration– Cost of labour to recreate
digital records– Cost to replace damaged
hardware and software Cyber extortion
– Expenses resulting directly from insured surrendering funds or property to the person who makes the threat
– Costs to terminate the threat (i.e. extortion amount) (no coverage for insureds’ confidential information)
30
What Does a Cyber Liability Insurance Policy Cover: Third Party Liability Costs
Your liability to third parties arising out of: – Network security breaches to the insured’s computer system– Network security breaches to the network of a third party service provider– Privacy breaches – your failure to protect confidential information– The transmission of malicious code to third parties
Regulatory investigations, proceedings and penalties:– Fines and penalties levied by privacy regulatory bodies, where insurable– Civil awards made by regulatory bodies– Costs of regulatory investigations– Payment card industry fines, penalties and investigations (with added
endorsement and additional premium)
31
Internet of Things (IoT) Risk
Direct bodily injury or property damage (IoT risk) is typically excluded from cyber liability insurance policies
However, there are a couple different places where this coverage could be picked up:
1. Existing property policies • Silent coverage exists in some cases, or added by endorsement
2. New hybrid cyber products • Cover both privacy risk and internet of things exposure
3. Aon Cyber Enterprise Solution (ACES)• Designed to protect large organizations against catastrophic cyber risk
with a high limit/high retention approach • Protects against property and casualty losses arising out of a cyber-
breach specifically
32
Purchasing Cyber Liability Insurance: Underwriting and Application
Large organizations are required to complete a long-form application with questions related to the size/scope of the business, the extent of operations, the kind of information collected and existing IT security measures
– From this, manuscript policy wording can be negotiated to address each organization’s unique risk exposure
Organizations that have revenue of $200M or less can now take advantage of streamlined cyber insurance purchase process
– Involves a 7 question application and manuscript policy wording Key variables to the cost of cyber insurance include:
33
Cyber Insurance – The Real Scoop on Cost and Coverage
The cost of cyber insurance varies greatly depending on the size and scope of the business that is being insured and the metrics discussed on the previous slide
Premiums and retentions have come down in recent years, and generally remain flat on renewal– However, rate increases may result where there has been a drastic
increase in revenue or a history of cyber incidents Coverage has also broadened, and an increasing number of carve backs have
been negotiated to narrow existing exclusions – There is significant variance in the wording of cyber insurance products
available in the market– Some policies provide much broader coverage than others– Language nuances can lead to unexpected denials of coverage
For more accurate information about how much cyber insurance will cost for your company it is best to speak to an insurance broker
34
Actual Cyber Insurance Payouts
Type of Company: Professional Services- Construction and Design ServicesTotal Payout: USD $300k (Legal counsel, forensics and ransom payment)Policy Coverage Section: Cyber Extortion
Ransomware attack - privacy counsel and an forensic vendor were retained. The attack was on the company’s servers AND its backup servers, which made
restoration difficult. No decryption tool was available. It was determined that paying the ransom (20 bitcoin) would be the quickest
way to address the situation. The forensic firm worked with a bitcoin broker to secure the necessary funds and coordinated the exchange with the attacker.
Subsequent decryption required significant assistance from the forensic firm, which also monitored the decryption process to ensure that the attacker was not able to regain access to the environment and re-encrypt any of the affected machines.
There was no evidence that information had been stolen from the company’s systems, therefore, no legal notification obligations were triggered.
* Example from “Cyber attacks: Claims scenarios ripped from today’s headlines”, XL Catlin.
35
Construction – Cyber Incident Examples
Type of Company: Concrete contractorTotal Loss: $218,797
A concrete contractor’s CEO opened a phishing email that infi ltrated the company’s computer network, undetected by anti-virus software.
The malicious code exposed names, addresses, social security numbers and healthcare records of 50 employees.
The company was fined $218,797 by a regulatory investigation committee for “failure to protect personally identifi able information.”
36
Construction – Cyber Incident Examples
Company: Turner Construction
Turner Construction was the victim of a spear phishing scam in 2016 An employee sent tax information on current and former employees to a
fraudulent email account. The information included full names, Social Security numbers, states of employment and residence as well as tax withholding data for 2015.
Company: Whiting-Turner Contracting
In 2016, Whiting-Turner Contracting was notified by an outside vendor that prepared W-2 and 1095 tax forms for the company’s employees about suspicious activity on that vendor’s systems.
Around the same time, employees of Whiting- Turner were reporting fraudulent tax filings being made in their names.
In addition to employee information, it is also possible that personal information of children and beneficiaries of employees who received healthcare insurance coverage through Whiting-Turner was compromised.
Questions/Thank you
Jessica Foster, J.D., Legal Consultant jessica.foster@aon.ca / 416.868.5651
Important: This report contains proprietary and original material which, if released, could be harmful to the competitive position of Aon Reed Stenhouse Inc. Accordingly, this document may not be copied or released to third parties without Aon’s prior consent.