Appendix 1: Scenario Selection
The following seven scenarios were discussed by the working party. These scenarios were originally conceived through brainstorming based on known events and events considered to be plausible given the knowledge of the cyber threat environment at the time. Care was taken to consider scenarios relevant to insurance organisations and across the whole industry regardless of area of business focus. The final selection of scenarios to focus on was based on a group vote to determine the scenarios which the group considered the most relevant and interesting to explore in greater detail.
Scenario 1: A general insurance business with a diverse business including a large motor portfolio is hacked by an internal staff member. Details of all motor insurance policyholders are leaked onto an Internet website and are widely available.
Scenario 2: A large life insurance business is targeted by a spear phishing e-mail to their CFO, apparently from their CEO. This results in a large transfer of funds intended for an investment portfolio, into a rogue bank account.
Scenario 3: A Lloyd’s syndicate has a large portfolio of risks in the USA. The Internet in the East Coast of the United States is attacked by cyber anarchists, resulting in no Internet connectivity for 2 weeks.
Scenario 4: A large insurer is in the process of migrating its data centre operations to the cloud. A member of their IT team extracts a large volume of data containing Personally Identifiable Information client data onto a high capacity disc to transfer to the new data centre. During the physical transfer of this disc, the disc gets stolen.
Scenario 5: A broker for a general insurer gets infected with ransomware on their computer. The ransomware spreads within the company and encrypts a major file share containing client records. The company is unable to access these records as they are encrypted by the malware. The online backup of the file share is also affected by the malware as it automatically backed up encrypted files. The insurer experiences an inability to process client requests due to lack of availability of important client information.
Scenario 6: An insurer employs a third party to print and send invoices and statements to all their customers. Large volumes of client data are shared monthly with the service provider to carry out necessary print and invoice operations. The insurer gets notified by the third party that they have experienced a data breach and customer records have been stolen.
Scenario 7: A motor insurer deploys telemetry in customer vehicles for measuring driver patterns using a specific telemetry device. A security researcher publicises a hack on this device that allows any Internet user to access the camera of the telemetry device as well as the location and PII data on it. The insurer needs to recall/replace/replenish the device with each of its clients.
Scenarios 1, 5 and 7 were selected as being the most relevant to the insurance industry from and operational risk perspective and the following amendments were suggested.
Scenario 1: Ensure that the data breach focus is retained but expand the narrative of the scenario to include both personal lines (volume focus) and commercial lines/London market (sensitivity focus e.g. high net worth, K&R, M&A).
Scenario 5: The focus of the scenario should be on business interruption e.g. ransomware/cloud downtime.
Scenario 7: In researching the scenario consider IoT and the potential impact of this area of technology more broadly.
Appendix 3: Glossary of Terms
Attacker: Malicious actor who seeks to exploit computer systems with the intent to change, destroy, steal or disable their information, and then exploit the outcome.
Botnet: A botnet is a collection of Internet-connected devices, which may include PCs, servers, mobile devices and Internet of things devices that are infected and controlled by a common type of malware. Users are often unaware of a botnet infecting their system.
Breach: An incident in which data, computer systems or networks are accessed or affected in a non-authorised way.
Brute force attack: Using computational power to automatically enter myriad value combinations, usually in order to discover passwords and gain access.
Bug bounty programmes: A bug bounty program is a deal offered by many websites and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to exploits and vulnerabilities.
CISO: A chief information security officer (CISO) is the senior-level executive within an organisation responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected.
CRO Forum: The CRO Forum is a group of professional risk managers from the insurance industry that focuses on developing and promoting industry best practices in risk management. The Forum consists of Chief Risk Officers from large multi-national insurance companies. It aims to represent the members’ views on key risk management topics, including emerging risks.
Cyber resilience: Cyber resilience refers to an entity’s ability to continuously deliver the intended outcome despite adverse cyber events.
Cyber underwriting risk: Cyber underwriting risk is defined as the set of risks emanating from underwriting insurance contracts that are exposed to losses resulting from a cyber-attack.
Data at rest: Describes data in persistent storage such as hard disks, removable media or backups.
Data warehousing: Data warehousing is a technology that aggregates structured data from one or more sources so that it can be compared and analysed for greater business intelligence.
DDoS: A distributed denial-of-service (DDoS) attack is an attack in which multiple compromised computer systems attack a target, such as a server, website or other network resource, and cause a denial of service for users of the targeted resource. The flood of incoming messages, connection requests, or malformed packets to the target system forces it to slow down or even crash and shut down, thereby denying service to legitimate users or systems.
Device hack: Embedded device hacking is the exploiting of vulnerabilities in embedded software to gain control of the device. Attackers have hacked embedded systems to spy on the devices, to take control of them or simply to disable them. Embedded systems exist in a wide variety of devices including Internet and wireless access points, IP cameras, security systems, pace makers, drones and industrial control systems.
ERM: Enterprise risk management (ERM) is the process of planning, organising, leading, and controlling the activities of an organisation in order to minimise the effects of risk on an organisation’s capital and earnings.
Firmware: In electronic systems and computing, firmware is a specific class of computer software that provides the low-level control for the device’s specific hardware. Firmware can either provide a standardised operating environment for the device’s more complex software(allowing more hardware-independence), or, for less complex devices, act as the device’s complete operating system, performing all control, monitoring and data manipulation functions.
GDPR: The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union. The GDPR sets out the principles for data management and the rights of the individual, while also imposing fines that can be revenue-based. The General Data Protection Regulation covers all companies that deal with data of EU citizens, so it is a critical regulation for corporate compliance officers at banks, insurers, and other financial companies. GDPR came into effect across the EU on May 25, 2018.
IoT: Internet of Things (IoT) is the network of physical devices, vehicles, home appliances, and other items embedded with electronics, software, sensors, actuators, and connectivity, which enables these things to connect and exchange data, creating opportunities for more direct integration of the physical world into computer-based systems, resulting in efficiency improvements, economic benefits, and reduced human exertions.
Malware: Malware, is defined as the malicious software file or program harmful to a computer user which can execute different malicious functions like encrypting, stealing or deleting sensitive data, hijacking or altering core computing functions and monitoring computer activities of users without their permission.
Network segmentation: Network segmentation in computer networking is the act or practice of splitting a computer network into subnetworks, each being a network segment. Advantages of such splitting are primarily for boosting performance and improving security.
NIST Framework: The NIST Cybersecurity Framework provides a policy framework of computer security guidance for how private sector organisations in the United States can assess and improve their ability to prevent, detect, and respond to cyber-attacks.
Operational Risk: Operational Risk is the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events. Operational Risk is the residual risk not covered by other categories of risk, including insurance, financial, credit and liquidity risk.
Patch controls: Patch management is an area of systems management that involves acquiring, testing, and installing multiple patches (code changes) to an administered computer system. Patch management tasks include: maintaining current knowledge of available patches, deciding what patches are appropriate for particular systems, ensuring that patches are installed properly, testing systems after installation, and documenting all associated procedures, such as specific configurations required.
Petya/Notpetya: Petya is a family of encrypting ransomware that was first discovered in 2016. The malware targets Microsoft Windows-based systems, infecting the master boot record to execute a payload that encrypts a hard drive’s file system table and prevents Windows from booting. It subsequently demands that the user make a payment in Bitcoin in order to regain access to the system. Variants of Petya were first seen in March 2016, which propagated via infected e-mail attachments. In June 2017, a new variant of Petya was used for a global cyberattack, primarily targeting Ukraine. The new variant propagates via the EternalBlue exploit, which is generally believed to have been developed by the U.S. National Security Agency (NSA), and was used earlier in the year by the WannaCry ransomware. Kaspersky Lab referred to this new version as NotPetya to distinguish it from the 2016 variants, due to these differences in operation. In addition, although it purports to be ransomware, this variant was modified so that it is unable to actually revert its own changes.
Penetration test/Pentest: An authorised test of a computer network or system designed to look for security weaknesses so that they can be fixed.
PFI: PCI Forensic Investigators (PFIs) help determine the occurrence of a cardholder data compromise and when and how it may have occurred. These PCI Forensic Investigators are qualified by the Council’s program and must work for a Qualified Security Assessor company that provides a dedicated forensic investigation practice. They perform investigations within the financial industry using proven investigative methodologies and tools. They also provide relationships with law enforcement to support stakeholders with any resulting criminal investigations.
PII: Personally identifiable information (PII) is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymising anonymous data can be considered PII.
QSA: Qualified Security Assessor is a designation conferred by the PCI Security Standards Council to those individuals that meet specific information security education requirements, have taken the appropriate training from the PCI Security Standards Council, are employees of a Qualified Security Assessor (QSA) company approved PCI security and auditing firm, and will be performing PCI compliance assessments as they relate to the protection of credit card data.
Ransomware attack: Ransomware is a type of malicious software from cryptovirology that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, in which it encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them.
S166: A s166 notice is a notice issued by the Financial Conduct Authority (FCA) under s166 of the Financial Services and Markets Act 2000 requiring a firm to carry out a “skilled person review.” The FCA serves around 50 a year.
SDLC: Software Development Life Cycle (SDLC) is a process used by the software industry to design, develop and test high quality softwares. It is also called a Software Development Process. SDLC is a framework defining tasks performed at each step in the software development process.
Social engineering: Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional “con” in that it is often one of many steps in a more complex fraud scheme.
Software vulnerabilities: In computer security, a vulnerability is a weakness which can be exploited by a Threat Actor, such as an attacker, to perform unauthorised actions within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface.
Spear-phishing: Spear phishing is an e-mail-spoofing attack that targets a specific organisation or individual, seeking unauthorised access to sensitive information. Spear-phishing attempts are not typically initiated by random hackers, but are more likely to be conducted by perpetrators out for financial gain, trade secrets or military information.
Telemetry: Telemetry is an automated communications process by which measurements and other data are collected at remote or inaccessible points and transmitted to receiving equipment for monitoring.
Vulnerability scans: Vulnerability scanning is an inspection of the potential points of exploit on a computer or network to identify security holes. A vulnerability scan detects and classifies system weaknesses in computers, networks and communications equipment and predicts the effectiveness of countermeasures. A scan may be performed by an organisation’s IT department or a security service provide, possibly as a condition imposed by some authority.
Worm: A worm is a standalone malware computer program that replicates itself in order to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it.