GT - Cyber risk: How does cyber events become so costly?

all right good morning everyone welcome to bsize Las Vegas uh this talk is going to be about cyber risk how does Cyber events uh become so costly umor how do you say your Wendy hon Wendy hon is going to be our speaker today um before we begin though I'd like to thank our sponsors for this event they're the ones that make this possible uh Adobe is going to be our gold sponsor or is going to be our Diamond sponsor and our gold sponsors are Prisma Cloud uh sem group and blue cat uh it's their support that's allow allows us to put on these events uh today and um for uh cell phones if you have a cell phone um

please put it on silence um and you know for um respect towards the speaker if you can if we can minimalize any type of interaction or conversations um if you have questions at the end or if there's time for questions uh there will be a there will be a period for that I'll be walking around with a mic so if you just want to raise your hand I'll come to you and then we'll uh we'll just use the microphone and then you can ask questions to the speaker um uh and that's that's all so uh without further Ado um yeah I'll me go to shut off okay good morning well thank you for being here um I'm excited for this talk

just because you know we had a lot of people really didn't understand or wanting to know what it looked like when it has a cyber event so I'm going collect the still testing my stuff so I'll start the agenda today was going to be I started with some Trends and statistics and then I go through some of the major category of cyber events and talk about each one of those type of event what are the cost components of those events and I added the last bullet uh because um I don't want to tell you how bad it is without telling you how do you make it better sort of so that was the last thing that I added so there's a

few slides on that one to um to give you some informations of things that you minimally have to have otherwise they won't even sell you cyber insurance so uh so intro um I'm from Marsh mcclinon uh we're one of we are the biggest insurance broker in the world uh 70% of the global 2000 actually buy their insurance through us um uh so you think of all the big names as well as a lot of the smaller we also have cover small Insurance uh comp smaller companies as well and as well as reinsurers so we also have a company that also does uh reinsurers for the different Insurance portfolio and we consult on that one as well so um we get

a lot of different sorts of data in the sense so speaking of data here's some of the data source I'm going to use for today's presentation um side Wave It's a used to be aison there's a lost feed data that's in there uh there's flasho which is used to be risk based security uh they have a vulnerability database and a bridge uh incident database that they have um also publicly reported so any of the data that such as from Financial companies from 10ks from their press release uh usually when the breach is big enough they have to report it so that's where they we got some of those numbers from uh so those are the public data source

I'll be using and the private data source proprietary data source will be the claims so the March mcclinon claims as well as uh we have UK and uh Europeans and as well as the different Insurance portfolio claims so the reinsurers when they have different Insurance portfolios when those portfolio make claims it actually gets into our database um most of the data I use is ranging from 2017 to 2023 except uh some of the Privacy claim stuff that's go further back just because those claim takes a long time to settle um if you look at some of the big claims last few years uh many of those are still open uh just because um since 2019 there are

still claims from 2019 that's open there's still many claims that's still on the private see claims is still open so I'll go through the trends and statistics and this one um it's from the 2017 to 2023 um as you can see in my data either both actually the data is a little bit biased toward the US however it does have um the the incident rate in general in the US is also higher so there's two kind of biases so this is is about 84,000 incidents uh from 2017 to 2023 and uh the 2022 and 2023 is partial data just because um there's Discovery delays there's reporting delays there's storage to the database delays so if you

look at it there's delays on those um if you look at just the us since this is the one that representing a lot of the data uh you can see that it increasing from 2019 to 2020 when Co happened uh that really jumped up in terms of frequencies and then 2021 it come down a bit and then uh 2022 it's not all done yet I think there's still things that being reported uh but it hadn't quite make it to the DAT database I think the average DW time when the Bad actors in your in the environment today according to mandian it's 16 days but then you know if you look at the Marriott incident it

was it got into the environment in 2014 and they didn't find it till 2018 so it could be a long time before you actually Discover it and then as some of those things it will see those kind of stuff it will happen so uh 2022 and 2023 and if you look at Evol evolution of time um you can see that for example uh Healthcare on the bottom here it's pretty much a big uh band Big percentage of the events uh along with financials and public administrations however if you look at manufacturer which is this guy uh you can see that at first there was not much of it and then till 2020 it's starting to getting more and more and now the

ransomware event is hitting that as well so um you can see the different industry evolutions of those different Industries through time and see how they change um so now I'm going to go through the Privacy Bridge event the lawyer took out all my names so I can only put country on there but you can tell th this is all public data this is nothing private data this is not proprietary data so I wasn't going to show that but I had company name games here but they said no take it out just because some of those are our clients so got yanked off but if you can actually go look up if you look up those

kind of Number the the millions and the dates you'll find them but you can see some of those privacy breaches very huge you probably knew what this one is the first one and it's almost a billion dollar in fine just on that one easily and all 50 sub States all reach out for the State Attorney General all came and asked for fines and penalties on that one FTC fines this long list of finds that hit that damage to be well a couple billion dollars of Damages yes like privacy do you mean pii data pii Phi and PCI okay so pii would be the names and Social Securities those type of data and Phi would be Healthcare

records those type of data and PCI would be the credit cards and any sorts of financial information account numbers and so forth those kind of data that would be That's What I Call privacy good call out thank you so yep but I can get in way with the fines now those are the different fines that was due to the Privacy well actually settle settlement fines and penalties and so those are the huge one that you can see uh various Industries actually are represented here and when they have uh fines those are not small fines um some of those are gdpr fines um but um people under the impression saying that there this could be actually

this when I do the model I built model for marsh and for the last six years and this is one of the big components actually um comes into the get into the very big severe penalties um of fines so um this is the fines and penalties for the different companies and if you talk about gdpr fines somebody say oh we're not doing business in Europe but if a European citizen come to the US for your company did a haircut and you lost their data you could subject to gdv findes and that's 4% of your revenue or $20 million so and then if you look at the gdpr find itself majority of the fine in there is

not due to a cyber incident but due to process compliance how you keep your datas and stuff and so anybody could be hit for that and similarly I think you Kathy you had a conversation about you know all the different states if different states California citizen go to Texas to do buy something and you lost your credit card number or something you can also um subject to that State's fine as well so this is a big category so um just the model that I when we built privacy breach um here's a typical claim expense that comes with within the model so uh PR and crisis management the bridge Council so just because you didn't lose the data but if

anybody just touched your data you're going to need to have to go have a conversation uh with the lawyer to see what you need to do to be compliant so that's the bridge Council General legal council PR and some some of the big one if you lost a lot of them then you probably have to set up a call center just because people's going to ask questions uh investigation forensics notifications and you see legal right there and there's various Identity Theft Protection services that could become a pretty big Bill and of course the data restoration that one is a tough one that one um also could be um a s you have to need the software to rebuild the system

uh you have Engineering Services Consultants and so forth and then not to mention regulatory fines legal caes and liabilities and settlements and stuff like that so I think on a previous slid if you look at the fine right some of this stuff it's um it's pretty huge and I think there's some of them that's not even finished yet like this one um it's 9080 million fine and 190 settlements and there's still uh additional settlement coming along as well so and in addition for technology companies if you provide any sorts of tech technology services and uh as well as products that could comprise of appliances equipments and stuff like that uh if you lost people's informations you can also

subject to Techo errors and emission type of a insurance so um that could turn out to be very big so those are usually third- party consequential losses as well so um I'll talk a little bit more about that one on the next so everybody what I well you know all this stuff what is cyber Insurance actually is so this is a my summary slide so any first party stuff anything that you investigate the um the um cyber extortions ransomware uh business interruptions a lot of people doesn't even know their policy actually have business Interruption coverage so um and then as well as any sorts of restoration of data response legal all of those are as part of the insurance and usually um

I think I forgot which where is I got the source it was like if when a company actually go buy cyber Insurance the chances that they get uh hacked is less and when they get hacked the severity is also less because the insurance company actually does require them to have a lot of those plan ahead of time before they'll ensure them so which is why the severity and frequency tend to be a bit less and then any sort of third party liabilities that uh lawsuits and stuff like that uh privacy liabilities and network security liability regulatory some of those depend on the states and countries some of those will not pay for the fines others countries will pay for

the fines could be covered by insurance but that's depends on your policy but what does not cover is any sorts of intangible assets copyrights Trace sequence any of those customer list those will not be covered so if you lost it you lost it that's not going to be insurable so there is overlaps between cyber Insurance liability that arise due to the insurance operating risk and then there's the te know any sort of liability because of your actual product if you they could say you know you could have done better your stuff Stu embedded the issues in here that um um caused us damages if you lost my custo like if you're a cloud service provider if you

lost somebody's customer names and stuff a list customer list uh you could be subject for to Techo as well so here's one of those graph that I did for building the model uh different industry as you can see frequencies also difference but as the revenue increases the number of incidents also increases along the way so uh uh we can see that the larger company tend to it makes sense and that's uh you know larger company has tend to have more events than the smaller guys also too there might be something about it it's that um maybe some of the small guy didn't even report it so that could be be also part of that uh so this is a per record cost for

large large privacy Bridge you can see the range anywhere from less than a dollar 36 Cents or 20 cents if you were count the high end of the range on Yahoo to over $500 per record and there are still pretty big numbers and some of those are still open and so uh this is like the number of record they lost and then this is uh what they disclosed it's publicly disclosed only which means there's a whole chunk of it it's probably still never talked about never reported so that's that's not in this number so per record cost will be higher actually most likely well it is higher it will be higher because a lot of those they don't

disclose and uh some of those number we got it off of their press release some of those number we got off their 10ks some of those comes off their annual Financial datas and stuff like that so and we also when we looking at those things sometime they kind of uh iffy about disclosing those so like one of the company got ransom they said okay we had hacked by Ransom um we paid Ransom however uh along with the flood in Texas we the whole loss is $140 million [Laughter] so they don't tell you exactly what they lost so why did data brege could become so costly for the smaller breaches forensic and Bri breach response you

know when you had a breach that's what you have to have and then for the larger one the cost coming from the vendor expense the legals and the findes and penalties and settlements and liabilities and so forth that's were the bucket so when we model it we model for smaller companies and there there are certain frequency for small Bridges and there are certain frequency for large bridges when large PR breaches happen then a lot of those uh fines and penalties and settlement get kicks in and that's how we built the model to say this is what your risk look like um I want to also next thing to move on is talk about business Interruption um so this was not in too

many people's radar until I think 2016 there's a botn net that basically shut down the east coast of the internet is this Mara bnet and then the not Peta happened that's 2017 and then that's when everybody said o we need to buy uh bi Insurance business business Interruption insurance today it's actually going to become bigger and worse than it was it would be because a lot of our um companies the they're so integrated in terms of Supply chains so remember Co when the chip shortage happened and they can't produce as many cars they can't deliver cars well this is what happened when you have business disruptions their liabilities and and um often time a lot of those events doesn't

even get reported just because they're they're small and they just won't tell anybody about it so here's not Peta that um names got erased become countries but you know who they are exactly um so the worst one it's uh $ 1.4 billion worth of damages on not peda and then uh that one actually not only hit the max out their cyber policies and they also went went to the property policies so then there's a discussion of that's Act of war war w and if it's War we don't cover it and then so there's lawsuits and lawsuits eventually they won and say that is part of not war that is part of the property stuff so certain

part of that did get covered so and some of the other large business Interruption loss um you can see uh those are pretty recent except I think I don't have any 2022 there there's the 2022 one didn't make the list but some of those actually made a list however they Blended themselves with other losses so I couldn't put it on the list so yeah so this is some of those large one but all of this is public you can actually go search for it that's the company that that's the countryes that they're from and uh you'll find that if you search for specific numbers on the lost damages and the F timeline you can probably find the company if you want it

to really know but this is just give you an idea what kind of impact a business Interruption loss could have it's huge um so the way we compute some of the the different losses in the business eruption is that you have you shut down time you have time that you actually down for a period of time and you slowly recover and then there's a per area of restoration now this back end here could be really long we had customers we have clients that actually after two years they're still suffering losses because their process either know their blueprints got lost so now instead of build building a factory building a some sort of power plant by module they have to

recreate all those modules and uh there some of those were Pharmaceutical the tests that they have the the data that they test they have to be certain uh uh FDA compliance while those data is lost start all over again so yeah so that those could be really damages and by the way the revenue itself is not insurable but the income loss is insurable so any of those things like you know if you pay salary during those times you pay rent for buildings those kind of things during those time it is insurable so you know a lot of people doesn't really some of the company doesn't understand that is valuable as well because anytime when you have a big

ransomware a big bi event this is actually a big component that could be covered by Insurance um I look at by industry over there and the biggest one was education and public administration healthc care and uh some Finance insurance and then CMT communication media technology those are the kind of frequencies of where by industry last few years that's what they're being hit the most um so why do business Interruption events so expensive well you have Revenue loss you can have unfulfilled orders you have loss loss orders uh you could have a longtail recovery time due to physical or intellectually property damages uh you could uh have just higher cost of production we have a lot of

clients that just because they had something happened to them now their production is a lot higher uh there's contingent bi so bi that other are depending on you to run their business or build their products that you could be liable for and of course it's legal and liability abilities those are the kind of things that would be and I think this is one that everybody been asking about lately is ransomware so I'll go through ransomware so the data set I have of ransomware is about 11,200 ransomware event from 2017 to 2023 um I picked 2017 and actually 2017 to 2018 was not so bad because um a lot of those I actually did a Time series analysis on that one

there's clearly a break point between 2018 in 2019 and if you run the prim Series right there there's a very clear break point on that um I only counted the event that's so intense to extract ransoms I didn't count the not Peta because not Peta is not a ransom extracting event they said $300 even you paid they're destroying your um infrastructure so they're not wanting to collect the $300 and they don't have key to fix it so I didn't count that so that's where that is and here are some of the large ransomware losses and it's few hundred millions and I think there's some it's all in the millions I think the last one that made it to the list is

about $15 million but still that is a pretty big damages in terms of ransomware um again those are all publics so in terms of ransomware here's the list of things you got to pay the ransom or negotiate the ransom the average Ransom negotiation time that's about 5 days so it takes you about 5 day to actually just on average to get negotiated if you decide that you want to pay or not pay and then you have to have ofat um certification so all the sanction country if the r some organizations from sanctioned country you can't even pay the ransom and in order if you do then um then you get in trouble with the US government um

there's uh on the bad uh ransomware event business disruption would be a big one so if you don't have your uh backups and stuff like that that it could be a huge cost as well and if any of the record was heal for ransom then there could be pris managements typing stuff and of course investigations and as well as privacy related product and um that's all in in the list of in terms of ransoms and then of course then you have your regulator regulatory stuff if you lost a lot of record and that could be pretty large settlements there and then I put the extra expense this was actually from one of our claims here's a list of all the extra

expense that goes with it and uh temporary worker temporary data center temporary cloud services uh any sorts of incremental to financial statements audit fees incremental internal labor cost employee expense pizza for the Friday night you make it well Goodwill stuff and I think that's a big one in Japan there's a apology fees that you have to pay as well too so I'm come on I better go faster so um here's the frequency on Ransom War you can see that 2017 2018 2018 is pretty much none and then 2019 it's starting to go up and then when uh Co happened exponentially gone up and Russian Ukraine war sanctioned it went down and because they couldn't get

Hardware to and to get the money and here's the latest most active ransomware group that we have on our list so I thought I put it up there that was the last thing as well um 2022 and 2023 is also uh 2022 is also data still partial as well so yeah you can see it's coming back up again after the sanction so they figure out the way to get Hardware to actually do the ransom activity they figure out to get the money because for a while because of sanction they couldn't get the money um and then look at the different Industries uh at first it was the the um you can he see Healthcare initially

really got hit a lot and then the uh the next one is manufacturer which is the orange one right here at first they weren't getting hit that much but look at what happen to it now it's a huge percentage of manufacturer and then it goes up to educations the orange guy is Professional Services so the law firms they're getting they W getting hit much now they're getting all hit different type of Professional Services type of organizations are now getting hit more and more so um so this is one of the guys is like well if I get Rome what do I do so this is like the percentage of the company who pay versus the percentage of

not pay so as you can see from 2017 on there were a lot more that pay because people weren't as ready as it was prepared so they may not have backup they may not have the right stuff that were supposed to have and um now as it C up to 2021 and 2022 we are seeing a smaller percentage of company are paying as well so and here's the bridge response costs uh I put this in percentile just because I didn't want to actually tell you how much they pay because they're are clients um the average and so the blue chart is actually a l normal fit to the distribution of bridge response um uh in terms of the green one the median

and average is actually um actual number that's why there are green bars there but if you look at that the average there it's in what 981k in terms of response calls it's above the 80 percentile so that means that there's some company or companies out there did spend a lot of money on breach response costs in terms of that and here are some uh known total cost versus the average uh total cost incurred um so you can see that uh the number event out of those that has the little thing this thing right here it's actually number of events but then each one of those bar is the total cost of the the average cost in that so

2017 was pretty high 2018 it's not too bad it gone down but 2019 and 2022 it get did get a lot higher and then this is the known total cost per years that I could find of all the known total costs um this is a chart of average Ransom where demand and payment for our clients so for 2019 in the beginning of time they don't know what they're doing so they just demands anything and everything and look at the pay ranges they it's a lot smaller um so we had companies that got like they were only like you know five million I think it's 8 million was their revenues and the ransom demand was 80

million it's like we can't pay that then we don't have anything to pay that it was like just not happening so you can see beginning of it it's really wide range because they don't know what to ask they don't care just ask something but as it goes to 2020 uh2 you can see the range got a lot smaller see this is the demand range range this is the pay range of that and so it did get a lot smaller and by the way the largest ROM demand in 2023 so far is $175 million and average pay the actual not that one but largest pay is 30 million this year so it's it's decent number a

huge number um the most active ransomware group is lock bit so yeah and here's the ransom pay by um you know by year and see the different percentiles and stuff like that as well so this was all clients and you can see that uh 2021 had the some of the bigger Ransom amount that was pay so yeah um so how is the cost distributed so I took about 40 something 50 somewhere around there uh of the ransomware claims that has all the detail costs and I was able to group and the one that didn't have detail costs got tossed out so when I separated them um here's what the distribution of that and you can look at it Ransom payment

took almost about 30% but and the business Interruption takes about 30% and this is all from various Industries didn't have and the liability on this one is small just because it's very I think there's only like two maybe that had liabilities in there so it doesn't really represent what the true cost is and there's a claim preparations type of fee if when you get uh events you got to pay for claims and you got to prepare a claim to for the insurance so there's the fee that Consulting does charge so that's what the Restorations and distribution so this is one of the thing that people ask a lot is like if I had a ransom event what do I do how much is it

going to cost me this is sort of an average thing and we talked about move it so I added the slide so move it happened in June so July we start getting hit by claims so up to date we had about 117 claim as of yesterday that's how many it's happening has happened mostly to education financial healthc care and communication so yeah that's what happened lately so how did they become so costly so far uh well of course you saw the Cyber privacy business eruption ransomware and I also want to call out technology errors and omissions if you provide any sorts of services uh technology Services as products that could happen as well um once they got in

your environment they could fraudulently reroute your funds and there's hit could hit your P crime policy and then um we have Ransom that hit multiple policies hit the Cyber policy as well as the kidnap Ransom kidnap and Ransom policy as well too so when one policy ran out depends on the wording they could be paying for the other policies and then we certainly seen it hit a lot hit the property policies as well too so there's multiple damages across basically your whole interprise on the different front and that could get very expensive so how so this is the part that I didn't put it on my original agenda but I thought it would be fair to

actually talk about how do you improve it with all this stuff so I want to talk specifically some of the top controls has that you have to have so the data that I used was firmographic data from dun brass Street um any of the historical incident data that we talked about from RBS advis and uh Marsh mcclinon claims uh insurance claims including the insurance portfolio claims and then also any of those technographic data that we have inside outside assessments as well as the scoring of bits side and security score card those are the outside looking in and see the different scores that you have and so we've gone through the probability of success of the Cyber events and look at

industry specific implementation of those controls um we also let me see that's on the next one yeah so this is like when they come and get insurance we make them feel a herity also questionnaire covering all this bra Spectrum we call it cyber self assessment so sort of a we make them go through all this stuff in terms of governance account monitoring business continuity recovery any sort of stuff we asked so this is this is just our as a broker we asked them to make out a few question and what we do is we correlate those data and um we correlate it with the firmographics as well so there's firmographic data in terms Rue B High

versus low high is anything billion above low is anything is less than a billion and as you can see um the company's photographic matters so if you the conditional probability of a claim in the low is about 3% 2.97 and the condition probability for a high Revenue company is about 8% so it's more than double what it is um so we also do that as well well and um and then um we gone through from the CSA that they had we uh the Cyber self assessment we compute the signal strength of those versus the claim data that we have in house so what we're saying is that you know security configuration came out on top you got to

have configuration management tools such as active directories and so forth uh you got to monitor your account those are some of the the top controls that you have to have um in order to reduce the frequency of your claim well frequency event therefore claims so so um I I some of this stuff it's because there's so many things that you have to look out for so what is the priority right so so this is what we're saying that when we come to of those 150 questions that we have this is what we came up would be the top things that you have to have and then in some of those cases individually some of those

questions like this one uh about multi multiactor authentication if you just do one it's 1.25 in terms of signal strengths but if you add the couple other two then you actually get to a 1.44 so if the completeness of those implementation matters as well so it could be a huge impact um we group The group the questions by control categories and if that control category for multifactor authentication it's well implemented then you you the likelihood of uh good signal strengths increase quite a lot so and then we looked at the incident rates along the various companies and see how they are in terms of uh in term implementation s and education sort of came out low on the list and then

they uh of all the top controls and they also have significantly higher claim rates compared to others as well so failure to implementation top control is reflected in the industry incident rates and here's the top five things without those POs those are the top five you have to to have without it um they don't want to sell you cyber insurance and or they can sell you cyber insance with extremely high price so that's the so um this is based on study actual data fact data that we check from our customer answering and we have a few thousand of those per year of those answers at least and then back to the many years as well as back to many years

of I think 10 years of claims and that's what we came back to be to say this is stuff you must have in go in order to reduce your frequency of your cyber events so the key take away is that you know you use the self assessment data to allow you to figure out what are the most impactful control which is what I listed and um if you Broad and robust adoption of some of those controls is necessary for their effectiveness multi multiactor authentication was the example that I use and then industry with lower implementation rate has high impact control tend to have higher cyber event rates and here's where you can get more information about the priorities as well

as my email address on the bottom if you want a copy of the presentations that's

it