a9. maritime cybersecurity, risk manager's perspective...
TRANSCRIPT
Cyber Risks One Risk Manager’s View
Pam Mihovil Insurance and Risk Manager Marathon Oil
Cyber? What should you do? Where do you begin?
• De-‐mystify this risk. The more you discuss it, the more manageable it becomes.
• Read Your Policies – It is critically important that you fully understand your current policies on this issue. Better coverage is often available but only if we confront the issue head on.
• The first step is the most important. Gather information internally. Meet with your internal experts, meet more than once, talk to everyone. Start with small groups which encourage open dialog. Learn about your company’s ‘cyber’ risk from those who understand it best.
• Divide and conquer! ‘Cyber’ is not one issue, it is several. Some will be important to you and some will not. Don’t waste time on the unimportant stuff.
• Risk Manager vs CIO – You don’t need to ‘write code’ or define ‘network protocols’ to manage cyber risk. You just need to understand your company.
Breaking Down the Risks Services vs PD vs Terrorism
Systems Integrity
IT Security Measures
Assessment of Security
Vulnerabilities
Technical Incident Response
Stolen Data
Personal – Notification, Credit Monitoring
Corporate – Public Relations Assistance
Perpetrator Investigation
Destroyed Data
Technical Incident Response
Perpetrator Investigation
Physical Damage
Repair, Replace, Rebuild Assets
Lost Income
Third Party Claims
$ $$$$ Typically the value of potential loss escalates.
For extremely critical data the only
meaningful mitigation is back-‐up redundancy.
Most IT Depts. will have covered this.
Most IT Depts. will have existing
resources in place and will not want to share processes.
Typically, only significant when you have a retail
segment or limited corporate response
resources.
Systems Integrity
IT Security Measures
Assessment of Security
Vulnerabilities
Technical Incident Response
Stolen Data
Personal – Notification, Credit Monitoring
Corporate – Public Relations Assistance
Perpetrator Investigation
Destroyed Data
Technical Incident Response
Perpetrator Investigation
Physical Damage
Repair, Replace, Rebuild Assets
Lost Income
Third Party Claims
Breaking Down the Risks Targeted Attack is Terrorism or War.
Everything else is routine physical damage.
For most of us in this room, this is the cyber risk discussion we really need to have.
Meaningful, sustainable solutions with clear and up-‐to-‐date policy wording is long overdue, especially in the offshore arena.
Current Policy Wording Examples-‐Offshore
INSTITUTE CYBER ATTACK EXCLUSION CLAUSE (CL 380) 10/11/2003
1.1 Subject only to Clause 1.2 below, in no case shall this insurance cover loss damage liability or expense directly caused by or contributed to by or arising from the use or operation, as a means for inflicting harm, of any computer, computer system, computer software programme, malicious code, computer virus or process or any electronic system.
1.2 Where this Clause is endorsed on policies covering risks of war, civil war, revolution, rebellion, insurrection, or civil strife arising therefrom, or any hostile act by or against a belligerent power, or terrorism or any person acting from a political motive, Clause 1.1. Shall not operate to exclude losses (which would otherwise be covered) arising from the use of any computer, computer system computer software programme, or any electronic system in the launch and/or guidance system and/or firing mechanism of any weapon or missile.
My policy covers Terrorism, so CL 380, 1.1, does not apply….
Harm? To whom? The Insured?
Current Policy Wording Examples-‐P&I
P&I Exclusion of Computer Viruses: The Association shall not be liable for any losses, liabilities, costs or expenses directly or indirectly caused by or contributed to by or arising from the use or operation, as a means for inflicting harm, of any computer virus.
Special P&I War Risks Cover: The cover also continues to include an exclusion in respect of chemical, biological, biochemical and electromagnetic weapons.
The term “electromagnetic weapon” refers to sophisticated mechanisms designed to destroy computer software
Only a computer virus? What about malware or spying software?
Only destroy? What if its intent is unknown or is to steal, extort or control?
Breaking Down the Risks
Systems Integrity
IT Security Measures
Assessment of Security
Vulnerabilities
Technical Incident Response
Stolen Data
Personal – Notification, Credit Monitoring
Corporate – Public Relations Assistance
Perpetrator Investigation
Destroyed Data
Technical Incident Response
Perpetrator Investigation
Physical Damage
Repair, Replace, Rebuild Assets
Lost Income
Third Party Claims
Like any risk, knowing your company and understanding your exposures is essential. You will learn what you need, what you don’t and where you need to spend your time.
Handled by IT? Perhaps a ‘risk survey’ type service would be of value?
Avg. cost of a breach* $4MM; $158/file. What’s your exposure? Purchased limit should make sense vs. your risk.
* Per Ponemon Institute LLC 2016 Cost of Data Breach Study, sponsored by IBM
If critical data is gone, completely destroyed without back-‐up (realistically) what can insurance do for you?
A risk to ‘own’ versus transfer, maybe?
Read Your Policies!
What do your current policies say, what do you think they mean?
Cyber Risks
Pam Mihovil Marathon Oil