Why are the Lights Off?! Recognizing and Managing Your Cyber Risk Exposures

Prepared by Jessica Foster, J.D. Legal Consultant, Financial Services Group Aon

April 12, 2019

2

Agenda

1. Part I: Cyber Risk 2. Part II: The Cost of Loss 3. Part III: Cyber Risk Management

3

Part I: Cyber Risk Business interruption, Cyber extortion, Internet of Things (IoT), and beyond

4

The Expanding Nature of Cyber Risks

Universal issue – Irrespective size, structure, industry sector and location of

organization Malicious threats still prevalent

– Stealth hackers, malware, extortionist, rogue contractors, disgruntled IT staffer

Prevalence of non-malicious incidents– Employee mistakes (lost laptop)– Marketing mishap: innocent customer data leaks– Vendor leak

Network operation and sharing trends– Points of failure are multiplied due to trends of outsourcing

computing needs, including cloud computing– Massive dependencies and data-sharing between business

partners

5

Criminal Activity is Rising

* NetDiligence 2018 Cyber Claims Study

6

Cyber Breach Statistics

The average Canadian company finds itself under attack by hackers more than once a day

Almost 670 million new malware variants were observed in 2017, an increase of 87% from the number of variants observed in 2016 (357 million)

In Canada alone, cybersecurity breaches cost companies a total of more than $9.6 billion in recovery in the past year

On average, it took more than five months to detect that an incident occurred and almost two months to contain the incident

Approximately 25% of data breaches have insider involvement In 2016, Construction Dive reported a 400% increase in ransomware attacks

on the construction industry over the previous year More than 75% of companies in the construction, engineering & infrastructure

industries have experienced a cyber-incident within the last 12 months

* Statistics from: Symantec 2017 Internet Security Threat Report; The Cyber Security Readiness of Canadian Organizations, 2018, Scalar; NTT Security; NetDiligence 2017 Cyber Claims Study; Forrester Research, Inc.

7

Cyber Crime Motivations

Motivations of cyber criminals are typically not clear

Financial: steal critical confidential third party information and then sell it to rogue states or competitors on the internet

Political: cyber criminals may have political or activist motivations due to: the perceived environmental impact of the organization or industry’s operations; the types of projects the company is involved in; the manner in which the end projects are used

Reconnaissance: hackers may be trying to determine where network vulnerabilities are, what systems can be penetrated and what information can be accessed – This information may then be used by cyber criminals at a later date

8

Most Common Organizational Cyber Exposures

Employee information: names, addresses, SIN numbers, payroll information (including financial information), HR records

– Even if payroll processing is outsourced to a third party (i.e. ADP)

Individual customer or client information: Personally identifiable information (PII) (i.e. names, addresses), financial information

Corporate confidential information: Third-party intellectual property, M&A documents

Business interruption: Security breaches causing operational downtime– Dependent/contingent BI: key service providers experience security breaches that in turn interrupt

the insured’s business

Cyber extortion: Threats made against an organization to disclose confidential information

Physical Damage to Property or Personal Injury: Resulting from a cyber breach (i.e. Internet of Things (IoT) exposures)

9

Variables Impacting Cyber Risk in the Construction Industry

High-profile, large-scale projects – Construction companies may be targeted for politically motivated reasons,

with hackers attempting to gain information related to high-profile, large-scale projects

– Hackers looking to gain access to valuable data that can be exploited to obtain money or a competitive advantage

Interconnected systems – I.e. shared procedural or structural models, design and construction

software systems (such as BIM, Procor and Revit), Smart Building monitoring systems or other systems that have internet-connected capabilities or can be accessed remotely

High degree of dependency on electronic processes and computer networks– Company may be vulnerable to cyber extortion attacks and business

interruption

10

Organization-specific Variables Impacting Cyber Risk

1. Budget Constraints– Impact on ability to train staff, maintain, upgrade, monitor and test computer

systems

2. Outsourcing of IT Operations– Myth debunked – if you outsource data storage/processing, you are not

protected from the consequences of a data breach!

– Outsourcing a large percentage of IT operations to third parties (i.e. cloud service providers) can increase risk in some cases

3. Target for Hackers– Local governments, energy and utility companies, transportation and other

industries can be a target for hackers and extortionists

4. Public Scrutiny– Municipal governments and Crown corporations tend to be subject to

greater public scrutiny with respect to cybersecurity and the use and protection of personal identifiable information

5. Long Information Retention Periods

11

Cyber Exposures for Construction Companies- Business Interruption and Reputation

Construction companies face huge financial and reputational consequences if operations cease causing a business interruption (BI) – Risk of delays to project completion with potential financial penalties – Additional expenses to get the business back up and running – Mass chaos and disruption, with the potential to negatively affect the

company’s reputation moving forward

Business interruption in the cyber context can occur for any number of reasons: – Cyber security breach/cyber attack: I.e. Ransomware penetrates the

company’s network, locking out employees and suspending all services (direct BI)

– A vendor, service provider, subcontractor or other critical third party experiences a cyber incident that suspends the company’s operations (contingent BI)

– A software update goes awry and freezes the company’s systems and operations (systems failure BI)

12

Cyber Exposures for Construction Companies- Bodily Injury & Property Damage

Internet of Things (IoT) risk is high for construction companies

Any system that runs electronically can have access points that may be exploited by third parties causing bodily injury or property damage (and, likely, business interruption)

Example: – In 2014, hackers penetrated a German steel mill’s network using a spear-

phishing email scheme, entered its enterprise systems, and from there accessed its industrial control systems. After the hackers took control of the facility’s control systems, mill operators were unable to shut down a blast furnace, resulting in massive damage to the equipment.

13

Cyber Exposures for Construction Companies – Third Party

Construction companies generally possess large amounts of non-personal confidential information of third parties in their care, custody and control – i.e. Technology, IP, recipes, specifications, plans, diagrams, etc. – If confidential information is lost or exposed, companies could face a civil

lawsuit resulting in substantial defence costs, settlements or judgments

Construction companies, like other organizations, have employees and will likely obtain and store a substantial amount of their employees’ personal identifiable information (PII) – i.e. Payroll and health information, employment history, financial

information, SIN number, performance reviews, etc. – If PII in the company’s care, custody and control is compromised, the

organization could face: (1) a civil lawsuit resulting in substantial defence costs, settlements or judgments, and/or (2) fines levied by a regulator as a result of an investigatory/regulatory proceeding

14

Cyber Exposures for Construction Companies- Cyber Extortion

Due to the nature of their operations, construction companies are also a valuable target for cyber extortionists– I.e. Malware penetrates the network and locks the insured company out of

all systems; cyber criminal demands payment to “unlock” system

As discussed, the financial and reputational consequences of resulting service and business interruption, and potential delays to project completion, are huge

Extortionists may demand large ransom payments to regain access to systems

Costs involved can include: – Extortion amount – Additional costs to terminate threat (i.e. IT forensic team)

15

Part II: The Cost of Loss

16

Causes of Cyber Privacy Breaches – 2013 - 2017

* NetDiligence 2018 Cyber Claims Study

17

Causes of Cyber Privacy Breaches – 2017

* NetDiligence 2018 Cyber Claims Study

18

Costs Incurred Following a Cyber Breach

First Party CostsOrganization’s out-of-pocket costs: Damage to data and property Recovery and restoration

expenses Loss of intellectual property Business interruption Internal investigation Lost employee productivity Notification expenses Interaction with regulators Call-centre expenses Website maintenance Identity theft and credit

monitoring Public relations

Third Party Costs Civil suits:

From business partners (i.e. financial institutions for credit card notification and recall expenses)

From employees and the general public for identity theft, mental anguish claims

Compensatory damages Legal fees

Regulatory investigations and proceedings: From privacy commissioners Fines, penalties, and civil

awards Costs to comply with orders

19

Real Claim Payouts: First Party vs. Third Party Costs

Total claims payouts by type of cost (N= $76M in reported claim expenses)

* NetDiligence 2016 Cyber Claims Study

20

Cost of a Cyber Breach – Global vs. Canada

Out of 477 participating global companies spanning 17 industry sectors, thefollowing costs were identified:– Average total cost of a data breach: $3.86M (increased 6.4% from 2017)– Average cost per lost or stolen record: $148 (increased 4.8% from 2017)

Out of 28 participating Canadian companies, the following costs wereidentified:– Average total cost of a data breach: $4.74M

• Third highest overall, behind only the U.S. and Middle East– Average cost per lost or stolen record: $202

• Second highest overall, behind only the U.S.

*Data obtained from the Ponemon Institute LLC: “2018 Cost of a Data Breach Study: Global Overview ”

21

Cost of Loss – Industrial Manufacturing (per record cost $)

As we can see from the following diagram, companies in the Industrial sector had a percapita data breach cost above the overall global mean of $148:

*Per capita cost is defined as the total cost of a data breach divided by the size of the data breach in terms of the number of lost or stolenrecords.

*Data obtained from the Ponemon Institute LLC: “2018 Cost of a Data Breach Study: Global Overview ”

22

Cost of Loss – Industry (overall $)

* NetDiligence 2018 Cyber Claims Study

23

Part III: Cyber Risk Management IT Solutions, Contractual Risk Transfer, Organizational Best Practices,

Insurance Risk Transfer and Procuring Insurance

24

IT Solutions Network Security

– Review firewall configurations and ensure only allowed ports, services and internet protocol addresses are communicating with your network

– Segregate payment processing networks from other networks– Apply access control lists (ACLs) on the router configuration to limit unauthorized

traffic to payment processing– Create strict ACLs segmenting public-facing systems that house payment card data– Implement data leakage prevention/detection tools to detect and help prevent data

ex-filtration– Implement tools to detect anomalous network traffic and behaviour by legitimate

users Administrative Access

– Use two-factor authentication when accessing payment processing networks (even if a virtual private network is used, it is important that 2FA is implemented to help mitigate key-logger or credential dumping attacks)

– Limit administrative privileges for users and applications– Periodically review systems (local and domain controllers) for unknown and dormant

users Encryption

25

Contractual Risk Transfer If a company has service contracts, there are a number of things to consider:

– Limit of liability • Indemnification

– Where are the data centers? – Will service provider be required to purchase cyber insurance? – Strength of security utilized by third party vendors and/or any subcontractors

• Will client be notified of and have the opportunity to approve the service provider’s subcontractors?

• Security audits permitted?• What verifications must service providers give? • Employee background checks required?

– Responsibilities in the event of a cyber breach• Responsibility for notification• Service provider’s obligation to mitigate• What laws apply?

– Termination of the contract• Data returned or destroyed?

26

Organizational Best Practices

Update computer systems regularly – set a schedule to make it automatic Change passwords regularly – install software that requires this or establish

a policy Establish policies and procedures around the collection, use, storage and

destruction of confidential information and make them known to all employees at the company

Educate employees about cyber risk – how to practice safe internet usage, understand the signs of a cyber scam, the importance of following established protocols

Develop a cyber breach response plan – identify the third party experts that you will use to fix the breach and mitigate damages

Have staff secure their workstations and remove technology (i.e. laptops) when they are not using their devices

Back up important information regularly – consider off-site storage (i.e. cloud storage)

Know and understand your cyber risks – what can be handled internally, what costs or time delays can your company absorb, are you transferring the risk to the extent possible

27

Risk Management Practices and the Impact on Cost of Loss Impact of risk management practices or other response actions on the cost of a data

breach– i.e. Employee training reduces the average per capita cost of a data breach by $9.30. In contrast,

extensive use of IoT devices increases the average per capita cost by $5.40.

*Ponemon Institute LLC: “2018 Cost of a Data Breach Study: Global Overview

28

However, even if Cyber Risk Mgmt. Practices are implemented flawlessly…

29

What Does a Cyber Liability Insurance Policy Cover: First Party Costs

Privacy breach costs– Notification costs (not required to

be statutorily mandated)– Legal advice– IT forensics (sometimes needed

to determine whether a breach has even taken place)

– PR and brand damage management

– Credit and Identity Theft monitoring for affected individuals

Business interruption – Extra expenses incurred because

of loss– Ordinary payroll expenses while

business interruption is ongoing– Lost income

Digital asset restoration– Cost of labour to recreate

digital records– Cost to replace damaged

hardware and software Cyber extortion

– Expenses resulting directly from insured surrendering funds or property to the person who makes the threat

– Costs to terminate the threat (i.e. extortion amount) (no coverage for insureds’ confidential information)

30

What Does a Cyber Liability Insurance Policy Cover: Third Party Liability Costs

Your liability to third parties arising out of: – Network security breaches to the insured’s computer system– Network security breaches to the network of a third party service provider– Privacy breaches – your failure to protect confidential information– The transmission of malicious code to third parties

Regulatory investigations, proceedings and penalties:– Fines and penalties levied by privacy regulatory bodies, where insurable– Civil awards made by regulatory bodies– Costs of regulatory investigations– Payment card industry fines, penalties and investigations (with added

endorsement and additional premium)

31

Internet of Things (IoT) Risk

Direct bodily injury or property damage (IoT risk) is typically excluded from cyber liability insurance policies

However, there are a couple different places where this coverage could be picked up:

1. Existing property policies • Silent coverage exists in some cases, or added by endorsement

2. New hybrid cyber products • Cover both privacy risk and internet of things exposure

3. Aon Cyber Enterprise Solution (ACES)• Designed to protect large organizations against catastrophic cyber risk

with a high limit/high retention approach • Protects against property and casualty losses arising out of a cyber-

breach specifically

32

Purchasing Cyber Liability Insurance: Underwriting and Application

Large organizations are required to complete a long-form application with questions related to the size/scope of the business, the extent of operations, the kind of information collected and existing IT security measures

– From this, manuscript policy wording can be negotiated to address each organization’s unique risk exposure

Organizations that have revenue of $200M or less can now take advantage of streamlined cyber insurance purchase process

– Involves a 7 question application and manuscript policy wording Key variables to the cost of cyber insurance include:

33

Cyber Insurance – The Real Scoop on Cost and Coverage

The cost of cyber insurance varies greatly depending on the size and scope of the business that is being insured and the metrics discussed on the previous slide

Premiums and retentions have come down in recent years, and generally remain flat on renewal– However, rate increases may result where there has been a drastic

increase in revenue or a history of cyber incidents Coverage has also broadened, and an increasing number of carve backs have

been negotiated to narrow existing exclusions – There is significant variance in the wording of cyber insurance products

available in the market– Some policies provide much broader coverage than others– Language nuances can lead to unexpected denials of coverage

For more accurate information about how much cyber insurance will cost for your company it is best to speak to an insurance broker

34

Actual Cyber Insurance Payouts

Type of Company: Professional Services- Construction and Design ServicesTotal Payout: USD $300k (Legal counsel, forensics and ransom payment)Policy Coverage Section: Cyber Extortion

Ransomware attack - privacy counsel and an forensic vendor were retained. The attack was on the company’s servers AND its backup servers, which made

restoration difficult. No decryption tool was available. It was determined that paying the ransom (20 bitcoin) would be the quickest

way to address the situation. The forensic firm worked with a bitcoin broker to secure the necessary funds and coordinated the exchange with the attacker.

Subsequent decryption required significant assistance from the forensic firm, which also monitored the decryption process to ensure that the attacker was not able to regain access to the environment and re-encrypt any of the affected machines.

There was no evidence that information had been stolen from the company’s systems, therefore, no legal notification obligations were triggered.

* Example from “Cyber attacks: Claims scenarios ripped from today’s headlines”, XL Catlin.

35

Construction – Cyber Incident Examples

Type of Company: Concrete contractorTotal Loss: $218,797

A concrete contractor’s CEO opened a phishing email that infi ltrated the company’s computer network, undetected by anti-virus software.

The malicious code exposed names, addresses, social security numbers and healthcare records of 50 employees.

The company was fined $218,797 by a regulatory investigation committee for “failure to protect personally identifi able information.”

36

Construction – Cyber Incident Examples

Company: Turner Construction

Turner Construction was the victim of a spear phishing scam in 2016 An employee sent tax information on current and former employees to a

fraudulent email account. The information included full names, Social Security numbers, states of employment and residence as well as tax withholding data for 2015.

Company: Whiting-Turner Contracting

In 2016, Whiting-Turner Contracting was notified by an outside vendor that prepared W-2 and 1095 tax forms for the company’s employees about suspicious activity on that vendor’s systems.

Around the same time, employees of Whiting- Turner were reporting fraudulent tax filings being made in their names.

In addition to employee information, it is also possible that personal information of children and beneficiaries of employees who received healthcare insurance coverage through Whiting-Turner was compromised.

Questions/Thank you

Jessica Foster, J.D., Legal Consultant jessica.foster@aon.ca / 416.868.5651

Important: This report contains proprietary and original material which, if released, could be harmful to the competitive position of Aon Reed Stenhouse Inc. Accordingly, this document may not be copied or released to third parties without Aon’s prior consent.