470 likes | 478 Views
Explore the evolution of cyber risks from the past to the present and into the future. Learn about market trends, risk transfer dynamics, and the opportunities in the digital universe. Discover the importance of cyber security and the growth of cyber insurance. Stay informed on the latest innovations in technology and the challenges they bring to privacy and liability. Understand the crucial role of cyber insurance as the last line of defense when technology fails.
E N D
CYBER RISK – A NEW FRONTIER David Kimmel CyberRiskPartners
White House Summit on Cyber Security and Consumer Protection February 13, 2015
Disclaimer “Nothing exists except atoms and empty space; everything else is opinion.” – Democritus
Agenda Risk in the Digital Universe Cyber Risk Market Trends Risk Transfer Market Dynamics and Opportunities
Agenda Risk in the Digital Universe Cyber Risk Market Trends Risk Transfer Market Dynamics and Opportunities
Cyber Risk Is Really Not the “New New Thing” 1981 Elk Cloner Virus 1992 Michelangelo Virus 2000s Worms / Bots Increase 2005+ Phishing 2011 Sony PlayStation Breach 2014 Sony Pictures Breach 7/2015 Index of Cyber Security at 2,817 1982 First Internet Connected Appliance 1994 Commercial Spam 2000 ILOVEYOU Virus 2006 APT Term Coined 2013 ISO 27001 Update 2014 Target CEO Fired 2015 OPM Breach 1983 Term “Virus” Coined 1995 Kevin Mitnick Arrested 2000 Conficker Virus 2005 – 2007 Albert Gonzalez – Credit Cards 2013 Executive Order 13636 2014 Increased Board Awareness 2015 ETF “HACK” All-Time High 1986 Brain Virus - IBM 1995 Spyware 2001 Code Red Virus 2009 Heartland Payment Breach 2013 Target Breach 2014 ~$2bn Cyber Ins. Market 2015 60+ Cyber Ins. Underwriters 1989 Morris Worm 1997 Trojans 2002 California SB 1386 Breach Notification Law 2009 Stuxnet Weapon 3/2011 Index of Cyber Security set at 1,000 2014 Cyber Security VC Funding >$2bn 2015 Cyber Risk Pricing Models in Development 1989 McAfee Anti-Virus 1999 Melissa Virus 2003 Anonymous Formed Cyber Risk 2014 NIST Framework 1999 Some Cyber Insurance 2005 ~$120mm Cyber Ins. Market Late 1990s Y2K Hysteria 2005 ISO 27001 Late 1990s Anti-Spam Anti-Spyware 2005 Zero-Day Exploits Attacker Defense Pre – 1990 1990 – 1999 2000 – 2005 2006 – 2010 2011 – 2013 2014 2015
Missing on the Timeline: War Games The 1983 movie that turned geeks into stars and introduced the world to “hacking”
Dramatic Internet and Mobile Growth Has Paved the Way for Innovation . . . Internet Users Mobile Users Global Users Population Penetration Global Users Population Penetration $2.8bn 73% 39% 5.2bn 25% CAGR 26% CAGR 25% CAGR 25% CAGR $35mm+ 0.6% 80mm+ 1% Top 15 Public Companies (market cap $bn) % Internet access of U.S. Pop. U.S. Users % of Global Users U.S. Insurance Companies Global Internet Companies 84% 61% $2,146 12% CAGR (9%) CAGR 7% CAGR 27% CAGR 10% $444 9% $115 $17 People are now connected 24/7 with mobile devices Source: 2015 KPCB Internet Report. Market capitalizations are as of May 22, 2015 and December 31, 1995 respectively. Insurance company data from Moelis & Company and SNL.
. . . and Explosive Data Generation, but It’s Only Just the Beginning A connected world generates increasingly huge amounts of content . . . . . . and the Digital Universe expands to unfathomable proportions In just a minute each day (a): • Google gets over 4 million search queries • Twitter users tweet 277,000 times • Apples users download 48,000 apps • Email users send over 200 million messages • Facebook users share about 2.5 million pieces of content • Over 1 million Vines are watched • Estimated 44 trillion gigabytes in 2020 (b) • By 2014, more content created daily than the period between the birth of the world and 2003 • Technical advances in collection and storage reduce storage costs, improve usability and increase incentives to capture and store data Digital Universe Statistics (b) “Ten years from now, when we look back at how this era of Big Data evolved . . . we will be stunned at how uninformed we used to be when we made decisions.” –Billy Bosworth, DataStax CEO • DOMO – Data Never Sleeps 2.0 and 3.0. • EMC Digital Universe with Research & Analysis by IDC, 2014.
Exponential Growth in Devices and Users Each new computing cycle typically generates around 10x the installed base of the previous cycle Source: Morgan Stanley Mobile Internet Report (12/09) and 2014 KPCB Internet Trend Report.
The Digital Revolution Is All Downhill From Here • Mobile is the device of choice • An always connected and inter-connected world, full of transactions, interactions and observations • Digital transformation and massive networks are driving a new era of data and analytics
Privacy and Liability Implications Are Staggering Smoke Detector / Nest Cartoon
Cyber Insurance Is the Last Line of Defense When Technology Fails The Digital Universe will be dependent upon cyber risk transfer and security CYBER SECURITY You are here • Cloud Computing • Cheaper Data Storage • Social Networks • Continued Internet Growth Greater Cyber Risk / Potential for More Breaches • Mobile • IoT • Big Data More Attack Surfaces Rapid Tech Innovation and Explosive Data Growth CYBER INSURANCE Data 4.4 zb in 2013 (a) 44.0 zb in 2020 (a) • Zettabytes. From EMC Digital Universe with Research & Analysis by IDC, 2014.
Agenda Risk in the Digital Universe Cyber Risk Market Trends Risk Transfer Market Dynamics and Opportunities
Tectonic Shifts Create the Perfect Storm Source: Palo Alto Networks.
A Ubiquitous Threat “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.” –Robert Mueller, Former FBI Director
Cyber Threat Landscape Is Evolving Rapidly . . . Cyber threats target different networks (i.e., personal, corporate, military and infrastructure), with differing network defense goals Threat Actors Threat Vectors Targeted Information and Systems • Hackers • Organized Crime • Nation States • State Sponsored • Insiders • Malicious • Accidental • Hacktivists / Anonymous • Terrorists • Competitors • Third Party Vendors • Hacking • Malware • Device Loss and Theft • Social Engineering • Skimming • Physical Security • Errors by Vendors • Intellectual Property • Transactional and Corporate Records • Data • Credit Card • Healthcare • Employee • Customer • Financial • Other Personal, Operational or Proprietary • Data = Cash • Sabotage: “Philosophical” Point, Nuisance or Revenge • Espionage: Classified / National Security Information • Military and / or Infrastructure
. . . with Differing Attack Motivations Cyber threat actors are exploiting networks for an ever-widening array of economic and political objectives Source: Mandiant – “M-Trends 2015.”
Attribution Remains Core to the Problem Pinpointing the bad actor and the appropriate response is problematic Cyber Attack Low Deterrence Anonymity The Attribution Problem Source: INFOSEC Institute.
Hackers Take Control of Moving Jeep Ethical hackers expose wireless networks as the weakest link in high-tech vehicles
Cyber “Fun” Facts 205 Median # of days to discover a breach (a) 2,982 Longest presence in days (a) 60% Spam volume as a % of email traffic (b) 1/965 Emails containing a phishing attack (b) 69% Victims notified by an external entity (a) 348mm Identities exposed via breaches in 2014 (b) 45% Senior executives say they are attacked hourly or daily (c) 113%Increase in ransomware attacks in 2014(b) 262% /Increase in number of iOS / Android 188% vulnerabilities since 2011(d) 60% Employees circumvent security features on their mobile devices (c) 38% Mobile users experiencing mobile cybercime in past 12 months (b) 68%U.S. companies permit employee-owned devices in the workplace (c) 25% Corporate traffic bypassing perimeter 2018E (d) 24 Zero-Day vulnerabilities (all-time high) (b) • Source: Mandiant – “M-Trends 2015.” • Source: Symantec, Internet Security Report 2015. • Source: Ponemon Institute. • Source: FireEye - “The Move to Mobile;” August 18, 2015.
Cyber Risk Increases Unabatedly Index of Cyber Security (a) • The Index of Cyber Security (ICS) is a sentiment-based measure of risk to the corporate, industrial, and governmental infrastructure from a spectrum of cybersecurity threats • ICS aggregates the views of information security industry professionals • Chief risk officers and their direct reports • Chief information security officers and their direct reports • Security product vendors’ chief scientists or equivalent • Selected academicians engaged in field work • Over the last 12 months, the index has increased 24% • Since inception in March 2011, the index has increased each and every month, and almost tripled • www.cybersecurityindex.org. Co-publishers: Dan Geer and Mukul Pareek.
The Cyber Conundrum Cyber security is critical, but the ROI is complex Huge Cyber Security Outlays… …Have Not Secured IT Systems… …Resulting in Dramatic Cyber Crime Growth and Costs • $77 billion expected to be spent globally in 2015 (a) • Cyber security market estimated to grow to $170 billion by 2020 (b) • 70% spending greater than 5% of their IT budgets on security (c) • Billions spent on security solutions that top 20% of cyber actors can bypass with a cheap laptop (d) • > 95% of organizations are still compromised (e) • Top 20% of cyber actors comprised of: • Elite hacker groups • Organized crime • Social engineers • Nation-state actors • Attacks have multiplied in all regions • Challenging legacy security model / perimeter defense • Losses often estimated in hundreds of billions of dollars (f) • Top 20% cause 90% of the damage (d) • Approximately 1 year detection time • $250 billion in IP theft • $9 million average response cost Increasing recognition that nothing can be made 100% secure, and movement towards “Cyber Resiliency” • Gartner estimate on global spend. • Markets & Markets report. • CyberEdge Group – 2015 Cyberthreat Defense Report. • CyberIQ. • FireEye. • For Instance, FireEye estimate of $445 billion lost annually.
The Problem Is Pervasive • Since 2005, 10,570 studied cyber events / data security breaches (a) • 2014 was a record year (a) • Over 579million records exposed (41%increase over 2013) • Vast majority of breaches attacked personal information • Hacking most common source • Retail sector hit hardest with dramatic increase in number of compromises and records exposed • The 2014 Sony destructive attack exposed “inner workings,” a departure from historical attack modes on corporates • Lasting financial consequences based on CyberFactors tail analysis • Forecast of 14% CAGR through 2019 (b) • Most breaches are never publicly reported and many simply go undetected • Source: CyberFactors. • Source: Gartner Research 2013.
Data Breaches in the Headlines Note: Bubble size represents number of records compromised. Source: CyberFactors.
Data Breaches by Sector 2005 – 2014 Number of Cyber Events Average Compromised Records Per Event (in thousands) Health- care Gov’t Fin. Services Education Tech. Services Retail Hosp- itality Non- Profit Manu- facturing Media Comm./ ISPs Energy Trans- port. Conglo-merate Indust. Goods A&D Individ- ual Un- known Agri- culture Const-ruction Frequency of cyber events and event severity varies significantly by industry Source: CyberFactors Data 2005 – 2014.
Cyber Security Is Now in the Boardroom . . . How confident are you that your company is properly secured against cyber attacks? (a) What is your biggest fear regarding cyber attacks? (a) Very Confident 4% 1 Brand damage due to customer loss 2 Cost of responding to breach Confident 29% Less than Confident 66% 3 Loss of competitive advantage due to corporate espionage 4 Regulatory and compliance violations 5 Other • “Cybersecurity in the Boardroom – a 2015 Survey,” NYSE Governance Services and Veracode; survey of corporate board members.
. . . as a Critical Risk Management Priority Cyber risk is an enterprise risk management concern • Cyber security is a major governance issue with reputational, operational and financial implications • The overall cyber risk environment, the Target breach and C-suite shake-up, and lawsuits (e.g., Wyndham, Target) have heightened board awareness • With cyber in the spotlight, board members must: • Optimize cyber security governance principles and communication with senior management, IT and cyber security professionals • Establish clear plans, both for cyber security and data breach response • As cyber risk moves to measurement in balance sheet terms, boards will become even more focused Boards are increasingly important in the cyber security discussion, including the consideration of cyber insurance
Growing Regulatory, Legislative and Legal Spotlight Given personal, corporate and national security ramifications of cyber risk, there are a myriad of interested parties Executive Order / NIST Framework State Laws (Breach Notification, Other) CTIIC (a) Class Action / Derivative Suits State AG Increasing Regulation, Focus and Legal Exposure Info Sharing (DHS + FBI; Industry) Federal Laws? (TBD) FTC DoD (NSA, USCYBERCOM, etc.) Other Gov’t (HHS, OCC, FCC) DHS (NPPD, USSS, ICE) DOJ / FBI (FBI, NSD, etc.) SEC These trends and resulting standards will improve cyber risk pricing and enhance the attractiveness of cyber insurance • Cyber Threat Intelligence Integration Center, an intelligence unit announced by the White House.
Agenda Risk in the Digital Universe Cyber Risk Market Trends Risk Transfer Market Dynamics and Opportunities
The Cyber Insurance Market Today . . . Estimated Global Cyber Insurance Premium • Growing market / hot topic • 60+ underwriters • Increasing capacity and limits • Capacity aimed at larger insureds • Relatively under-penetrated SME market • Increasing sophistication, underwriting and distribution • Sales cycle is shortening / higher binding percentage • However, still a small market on an absolute and relative basis $10 Billion $2 Billion $1 Billion $120 Million NM (c) (a) (a) (b) (b) • Source: AIG. • Source: The Betterley Report, D&P Analysis. • Source: ABI Research.
. . . Reflects Several Historical Challenges • Lack of standardized coverages and insurance product information • Cumbersome application process • Denial: many have not been willing to recognize risk or believe already covered in standard policies • Senior management / boards historically lacked understanding of exposures • Limited provision in corporate budgets for cyber insurance • Cyber risk pricing models not well-developed • Limited historical data • Evolving, iterative nature of necessary data • Risk aggregation concerns (“cyber hurricane”) • Varying levels of sophistication in the underwriting and distribution communities
The Cyber Risk Transfer Market Continues to Evolve Risk Modelers • A variety of risk modeling initiatives in cyber • Increasing amounts of diverse, accurate and relevant historical breach data • Expanding sample size of claims data (both public and proprietary) • Refinements in IT security rating engines / online risk assessment tools • Improving standards (e.g., NIST) • Additional information / data sources • Threat analytics • Information sharing – public / private collaboration • Advancements in cyber security technology, tactics, and awareness • New knowledge/strategies to mitigate aggregation risk exposures • Movement towards standardization in rates and forms • Market depth with maturation: reinsurance, cat bonds, cyber captives, SPVs and sidecars
Cyber Insurance – a Fast-Growing Specialty Line • Explosion of data, increase in attack surfaces and attackers, and ongoing attribution challenges • Senior management and board pressure • Focus and publicity / increased awareness and education • Substantial SME market opportunity • Regulatory and legal trends • Market need for a holistic solution • Insurance industry capabilities – in unique position to help shape the dialogue • Enhanced actuarial data and approaches • Government initiatives around information sharing and threat collaboration Cyber insurance will be an expected business expense and purchased concurrently with other standard coverages
Further Questions / Topics for Discussion • Artificial Intelligence / Machine Learning • Attribution • Big Data • Breach Reporting – Mandatory? • Cloud • Code as Regulator • Cost of a Networked World • Data Integrity • Federal Backstop (e.g., TRIA) • Federal Data Breach Law • Intangibles – Valuation / Accounting • Internet Governance • Net Neutrality • New Internet / New Design? • Open Source Trends • Privacy / Right to be Forgotten • Public / Private Collaboration • Quantum Computing • Reputational Risk (See Intangibles) • Shadow / Parallel Networks • Software Security – Like Milk or Wine? • Who “Owns” the Data?
Thank You for Your Time “Risk and time are opposite sides of the same coin, for if there were no tomorrow there would be no risk. Time transforms risk, and the nature of risk is shaped by the time horizon: the future is the playing field.” – Peter Bernstein, “Against the Gods”
Contact Us For further information, please contact: David Kimmel Chief Executive Officer CyberRiskPartners (917) 664-8798 david@cyberriskpartners.com
[ ] Source: DOMO – Data Never Sleeps 2.0. Source: Harvard Business School.
Four Decades of Digital Transformation IT Expenditure as Percentage of Total U.S. Capital Expenditure Source: U.S. Bureau of Economic Analysis and Harvard Business School.
There Is a Rapidly Increasing Number of Distributed Digital Devices . . . Global Internet Device Installed Base Forecast Source: Gartner, IDC, Strategy Analytics, Machina Research, company filings, BN estimates and Harvard Business School.
. . . Leading to an Explosion of Available Digitized Information . . . Global Digital Information Created & Shared, 2005 – 2015E Source: 2014 KPCB Internet Trend Report, Morgan Stanley Research and Harvard Business School.
. . . with Massive Computing Power Universally Accessible in the Cloud The Cloud will take us to Infinity and Beyond: the marginal cost of cloud computing is going to “zero” Source: Harvard Business School.
Index of Cyber Security Rate of Change Over Previous Month Index Value Jan. 2014 Feb. 2014 Mar. 2014 April 2014 May 2014 June 2014 July 2014 Aug. 2014 Sep. 2014 Oct. 2014 Nov. 2014 Dec. 2014 Jan. 2015 Feb. 2015 Mar. 2015 April 2015 May 2015 June 2015 July 2015 The Index of Cyber Security is a sentiment-based measure of the risk to the corporate industrial, and governmental information infrastructure from a spectrum of cyber security threats, as based on the aggregate view of information security professionals *ICS VALUE, January 2015= 2556 (BASE = 1000, MARCH 2011). Co-Publishers: Dan Geer and Mukul Pareek. www.cybersecurityindex.org
Where Does Your Data Go? As health records go digital, you might by surprised where they end up and who buys them Source: Latanya Sweeney, The Data Map and Harvard University.