MMC CYBER

HANDBOOK 2018
Perspectives on the next wave of cyber
FOREWORD
Cyber risk continues to grow as technology innovation increases and societal dependence on
information technology expands. A new and important turning point has been reached in the
struggle to manage this complex risk. In the war between cyber attackers and cyber defenders,
we have reached what Winston Churchill might call the end of the beginning.

Three characteristics mark this phase shift. First, global cybercrime has reached such a high
level of sophistication that it represents a mature global business sector illicit to be sure,
but one which is continually innovating and getting more efficient. In 2017 we have
experienced the widespread use of nation state-caliber attack methods by criminal actors.
Powerful self-propagating malware designed to destroy data, hardware and physical systems
have caused major business disruption to companies worldwide with an enormous financial
price. The number of ransomware attacks has also spiked significantly. More attack incidents have
impact extending beyond the initial victims with broad systemic ripple effects.

Second, business and economic sectors have high and growing levels of dependency on IT
systems, applications and enabling software. Growth in connectivity between digital and physical
worlds, and the acceleration in commercial deployment of innovative technologies like
Internet of Things (IOT) and Artificial Intelligence (AI) will expand potential avenues for
cyberattack and increase risk aggregation effects. These changes will make the next phase of
cyber defense even more challenging.

The third shift is the rising importance of coordination among institutions governments,
regulatory authorities, law enforcement agencies, the legal and audit professions, the
non-government policy community, the insurance industry, and others as a critical counter
to the global cyber threat. Cyber risk defense can only be effective if these groups share a
common understanding of the changing nature of the threat, their importance and increased
interconnected nature. Working individually and in concert, these groups can increase our
collective cyber resilience. We are beginning to see expectations converge in areas such as
increased transparency, higher penalties for failure to maintain a standard of due care in cyber
defense, improved incident response, and an emphasis on risk management practices over
compliance checklists. It will be vital for this trend to continue in the next phase.

Against this backdrop, the 2018 edition of the MMC Cyber handbook provides perspective
on the shifting cyber threat environment, emerging global regulatory concepts, and best
practices in the journey to cyber resiliency. It features articles from business leaders across
Marsh&McLennan Companies as well as experts from Microsoft, Symantec, FireEye and Cyence.
We hope the handbook provides insight which will help you understand what it takes to achieve
cyber resiliency in the face of this significant and persistent threat.

John Drzik
President, Global Risk and Digital
Marsh & McLennan Companies
 WAKE UP TO THE SHIFTING
CYBER THREAT LANDSCAPE
CONTENTS Threat Trends on Major Attacks in 2017
p. 5

Industries Impacted By Cyberattacks

p. 6

Evolution of Cyber Risks: Quantifying

Systemic Exposures
George Ng and Philip Rosace
p. 7

The Dramatically Changing Cyber Threat

Landscape in Europe
FireEye | Marsh & McLennan Companies
p. 10

Asia Pacific A Prime Target for Cybercrime

Wolfram Hedrich, Gerald Wong, and Jaclyn Yeo
p. 15

The Equifax Breach And its Impact on

Identity Verification
Paul Mee and Chris DeBrusk
p. 21

Lessons from WannaCrypt and NotPetya

Tom Burt
p. 24

The Mirai DDoS Attack Impacts the

Insurance Industry
Pascal Millaire
p. 27

Time For Transportation and Logistics

To Up Its Cybersecurity
Claus Herbolzheimer and Max-Alexander Borreck
p. 30

Are Manufacturing Facilities as Secure

as Nuclear Power Plants?
Claus Herbolzheimer and Richard Hell
p. 33
PREPARE FOR EMERGING CYBER RESILIENCY
REGULATIONS BEST PRACTICES

Percentage of Respondents at Each Level of Cyber Preparedness Across Industries

GDPR Compliance and Regions
p. 35 p. 53

The Growing Waves of Cyber Regulation Deploying a Cyber Strategy Five Moves
Paul Mee and James Morgan Beyond Regulatory Compliance
p. 36 Paul Mee and James Morgan
p. 54
Regulating Cybersecurity in the New York
Financial Services Sector Quantifying Cyber Business
Aaron Kleiner Interruption Risk
p. 40 Peter Beshar
p. 60
The Regulatory Environment in Europe is About
to Change, and Profoundly Cybersecurity: The HR Imperative
FireEye | Marsh & McLennan Companies Katherine Jones and Karen Shellenback
p. 43 p. 61

Cybersecurity and the EU General Data Limiting Cyberattacks with a System Wide
Protection Regulation Safe Mode
Peter Beshar Claus Herbolzheimer
p. 46 p. 63

Cyberattacks and Legislation: Recognizing the Role of Insurance

A Tightrope Walk Wolfram Hedrich, Gerald Wong, and Jaclyn Yeo
Jaclyn Yeo p. 65
p. 49
WAKE UP TO THE
SHIFTING CYBER
THREAT LANDSCAPE
MMC CYBER HANDBOOK 2018

THREAT TRENDS ON
MAJOR ATTACKS
BREACHES RANSOMWARE

2014 2015 2016 2014 2015 2016

Total breaches 1,523 1,211 1,209

Number of
Total identities detections
1.2 BN 564 MM 1.1 BN 340,665 463,841
exposed

Average identities
exposed per breach Ransomware
805 K 466 K 927 K families
Breaches with 30 30 101
more than 10 million 11 13 15
identities exposed
Average
ransom
In the last 8 years more than amount
7.1 BILLION identities have $373 $294 $1,077
been exposed in data breaches

MOBILE CLOUD

New Android mobile Average number of cloud apps

malware families 46 18 4 used per organization
2014 2015 2016
New Android mobile 774 841 928
2.2 K 3.9 K 3.6 K
malware variants

New mobile vulnerabilities TOTAL

2015 2016 2016
2016 290 316 606 JUL-DEC JAN-JUN JUL-DEC

2015 463 89 552

2014 178 iOS Android 200

25% 23% 25%
12 10 BlackBerry
Percentage of data broadly shared

Source: Symantec

5
MMC CYBER HANDBOOK 2018

INDUSTRIES IMPACTED
BY CYBERATTACKS
Percentage of respondents in industry that
have been victims of cyberattacks in the
past 12 months

26% 25% 25% 22%

Energy Health Care Retail and Manufacturing

(N=88) (N=101) Wholesale (N=176)
(N=39)

19% 17% 15% 15%

Infrastructure Financial Automotive Professional

(N=36) Institutions (N=46) Services
(N=132) (N=136)

14% 14% 13% 9%

Power and Marine Communications, Aviation and
Utilities (N=56) (N=36) Media, and Aerospace
Technology (N=104) (N=34)
Source: 2017 Marsh | Microsoft Global Cyber Risk Perception Survey

6
MMC CYBER HANDBOOK 2018

EVOLUTION OF C
yberattacks have escalated in scale over the
last twelvemonths. The progression of events
has demonstrated the interconnectedness

CYBER RISKS: of risks and shared reliance on common internet

infrastructure, service providers, and technologies.
If the Target, Sony, Home Depot, and JPMorgan Chase

QUANTIFYING data breaches in 2013 and 2014 defined the insureds

need to manage their cyber risks and drove demand for

SYSTEMIC
cyber insurance, then this years events have proven
the need for insurers to quantify and model their
exposure accumulations and manage tail risk.

EXPOSURES
These recent events have a different texture and
a broader impact/reach than the incidents we have
grown accustom to seeing over the past decade. A
certain trend towards awareness of systemic risk has
emerged among cyber insurance markets and their
George Ng and Philip Rosace regulators. Exposure modeling around accumulation
MMC CYBER HANDBOOK 2018 WAKE UP TO THE SHIFTING CYBER THREAT LANDSCAPE

exposures such as cloud infrastructure and widely used technologies is advancing. The 2017 Lloyds
Emerging Risk Report Counting the costs: Cyber risk decoded, written in collaboration by Cyence and
Lloyds, models losses from a mass cloud service provider outage to have potential for $53 billion
in ground up economic losses, roughly the equivalent to a catastrophic natural disaster like 2012s
Superstorm Sandy.
Cyences economic cyber risk modeling platform collects data to quantify systemic risks and assess
economic impact to portfolios of companies. It is essential to evaluate the variety of commonalities
among companies to identify any nonobvious paths of aggregation that could be a blind spot.
The Web Traffic by Sector chart shows a sector breakdown of internet usage. Software and technology
companies, unsurprisingly account for a majority of traffic.
But systemic risk also stems from joint usage of common services within an Internet Supply Chain
including ISPs, cloud service providers, DNS providers, CDN providers, among others. Understanding
the many permutations of these accumulation paths is critical for the insurance industrys enterprise risk

Exhibit 1: TIMELINE OF RECENT ATTACK EVENTS

OCTOBER 21, 2016... FEBRUARY 28, 2017... MAY 12, 2017... JUNE 27, 2017...
Dyn Inc.s DNS provider Amazon Web Services An aggressive ransomware New variants of the Petya
services were interrupted by a suffered an outage oftheir campaign was deployed ransomware began spreading
Distributed Denial ofService S3 cloud storage service infecting hundreds ofthousands globally (dubbed NotPetya),
attack of unprecedented forapproximately 4 hours. The of endpoints around the world though most of activity was
strength fromthe Mirai botnet outage impacted some popular since. Theransomware named reported inthe Ukraine. Once
of compromised IoT devices. internet services, websites, WannaCry (AKAWannaCrypt, the malware first infected its
Theattack was said to have and other businesses utilizing Wana Cryptor, wcrypt) targeted host, it then tried to spread 2013

a flood rate of 1.2 Tbps from that infrastructure. The Wall unpatched Microsoft Windows further throughout the local
100,000 infected devices. Street Journal reported that machines using the EternalBlue network using the EternalBlue
Dyns 11-hour outage of their the outage was caused by exploit. Notable victims included exploit, which was used by
DNS lookup services caused human error an employee the National Health Service WannaCry a month prior.
availability issues for users of mistyped acommand causing (NHS) in the United Kingdom, Ukraines Chernobyl Nuclear
Amazon.com, Comcast, HBO, acascading failure that knocked Nissan Motor Manufacturing Power Plan went offline, Indias
Netflix, The New York Times, out S3 and other Amazon UK, andRenault. The Wall Street largest port was brought to
PayPal,Spotify, Verizon, The services. Cyence estimates Journal reported Cyences a standstill, and a number
Wall Street Journal, Yelp, among that companies in the S&P estimate of $8billion in potential of global companies were
many other platforms and 500 dependant on Amazons economic losses due to the impacted including A.P. Moller
services reliant upon Dyn as a services lost approximaterly event arising out of lost income Maersk, WPP, DLA Piper, Merck
DNS provider. $150 million as a result of and remediation expenses to & Co., FedEx, and others.
the outage. organizations withinfected or Reuters reported Cyences
vulnerable systems. $850million ground up loss
estimate from this event.

IT IS ESSENTIAL TO EVALUATE THE VARIETY OF

COMMONALITIES AMONG COMPANIES TO IDENTIFY
ANY NON-OBVIOUS PATHS OF AGGREGATION THAT COULD
BE A BLIND SPOT.

Copyright 2017 Marsh & McLennan Companies 8

MMC CYBER HANDBOOK 2018 WAKE UP TO THE SHIFTING CYBER THREAT LANDSCAPE

EXHIBIT 2: WEB TRAFFIC BY SECTOR

Retail Trade Financial Services

68% 10% 6% 4%

Software and Technology Services Education and Research

2%
Business services, Utilities, Hospitality, Manufacturing,
Publishing, Membership organizations

EXHIBIT 3: CLOUD USAGE BY SECTOR

Software and Technology Services Education and Research Utilities Financial Services Healthcare

16% 12% 11% 10% 10% 9% 9% 6%

9% 9% 5%

Manufacturing Wholesale Trade Retail Trade Business Services Licensed

Professional Services
Source: Cyence

management. The Cloud Usage by Sector chart highlights cloud services usage by sector
and tells a different story than the first chart; We see more widespread and balanced usage THIS YEAR WE STARTED
across a variety of industries instead of one sector dominating. A detailed and thorough TO SEE EARLY VERSIONS
evaluation of these exposures in dollars and probabilities will be essential for re/insurers
OF CYBER HURRICANES
enterprise risk and capital management.
Just as our sea levels and weather patterns change over time, cyber temperatures are
OCCUR SOMETHING
rising and societys technological advances appear to have a hand in it. The last twelve THE MARKET HAS BEEN
months have proven that the types of cyber events observed can change dramatically over CONCERNED WITH FOR
a short period and create a new normal. A few years ago, we were all suffering from breach QUITE A FEW YEARS.
fatigue every week a new retailer, healthcare provider, or financial institution lost their
customers sensitive data. This year we started to see early versions of cyber hurricanes
occur something the market has been concerned with for quite a few years. Like a
natural disaster, these events affected wide swaths of enterprises by failures incommon
points of dependency.

CONCLUSION
So, what is on the horizon to be the next new normal for the cyber world? At Cyence, our
white hats are seeing a lot of new trends, but some areas we see evolving to include
increased exposure to Internet of Things (IoT) exposures, increased ransomware efforts,
and increased regulations. We believe there will be more attacks disrupting GPS and
other geo location systems to cause disruptions in the physical world from supply chains
and marine risks, to consumers reliant on GPS based products. As Bitcoin and other
cryptocurrencies become more widely adopted, we expect to see more frequent and
severe ransomware campaigns like WannaCry and NotPetya. Last, sovereign states
are increasingly seeking regulations on data storage locations to provide governments
with better control over their data. This control is desired for a variety of reasons including
privacy, censorship, and anti-terrorism; compliance will require operational change George Ng, based in San Mateo,
is the CTO and co-founder of Cyence.
by companies, but the variety of cloud resources available can simplify that transition Philip Rosace, based in San Mateo,
forthoseorganizations. is a Senior Solutions Manager at Cyence.

Copyright 2017 Marsh & McLennan Companies 9

MMC CYBER HANDBOOK 2018

THE DRAMATICALLY
CHANGING CYBER THREAT
LANDSCAPE IN EUROPE
FireEye | Marsh & McLennan Companies
MMC CYBER HANDBOOK 2018 WAKE UP TO THE SHIFTING CYBER THREAT LANDSCAPE

E
urope is being forced to confront a growing warning of lax cybersecurity at nuclear facilities in a
cyber threat against physical assets. Hackers number of countries across Europe.
and purportedly nation states are increasingly Thus, cyberattacks against critical infrastructure,
targeting industrial control systems and networks dubbed a potential Cyber Pearl Harbor by US military
Power grids, chemical plants, aviation systems, officials, are no longer the fantasies of Hollywood
transportation networks, telecommunications systems, producers, conspiracy theorists or sci-fi aficionados,
financial networks andeven nuclear facilities. but are the reality that governments and businesses
In late 2014, the German Federal Office for across Europe must now confront.
Information Security (BSI) reported that a cyberattack
had caused massive damage to a German iron
plant. Utilizing acombination of spearphishing and WHAT EU COUNTRIES ARE BEING
social engineering, hackers gained access to the iron TARGETED WITH THE GREATEST
plants office network, moved laterally to control the FREQUENCY?
production network and then disabled the shut-off Cyber hackers are increasingly opportunistic Smart,
valves on the plants blast furnaces. In the parlance savvy, and innovative. Hackers are bypassing traditional
of the industry, this was a kinetic or physical attack defenses by continually engineering new methods
against hard assets. ofattack. Even sophisticated cybersecurity programs
In late 2015, hackers turned their focus to the are being thwarted, often by targeting weak links in
power industry. In one of the largest attacks of its the chain, including vendors and employees. Due to
kind, hackers shut off the power to hundreds of its advanced economies and important geopolitical
thousands of residents in Ukraine. According to public positioning, Europe is a prime target for these attacks.
reports, the attacks that caused the power outage were
accompanied by parallel cyber intrusions into Ukraines
train system and TV stations. TARGETING OF EU COUNTRIES
In October 2016, the head of the International Europes largest economies remain the top targets, but
Atomic Energy Agency at the United Nations, Yukiya the focus ranges broadly across the continent. Exhibit1
Amano, publicly disclosed for the first time that a shows targeted malware detections from January to
disruptive cyberattack had been launched against September 2016 for all EU nations except Turkey and
a nuclear facility in Germany. This report came on the Russia. (Nations not represented on this chart received
heels ofananalysis by the Nuclear Threat Initiative little or no malware assessments from FireEye). Had

Exhibit 1: TARGETED MALWARE DETECTIONS FROM JANUARY 2016 TO SEPTEMBER 2016

In 2016, hackers most often targeted financial, manufacturing, telecom industries and governments in Germany,
Great Britain, Belgium, Spain, Denmark, Sweden, Norway and Finland

Finland 1% Germany 19%

Poland 1% Belgium 16%

Switzerland 2% Spain 12%

France 3% Great Britain 12%

Austria 4% Italy 7%

Denmark 4% Sweden 6%

Hungary 4% Czech Republic 5%

Norway 4%

Source: FireEye|Marsh & McLennan Cyber Risk Report 2017 Cyber Threats: A perfect storm about to hit Europe?

Copyright 2017 Marsh & McLennan Companies 11

MMC CYBER HANDBOOK 2018 WAKE UP TO THE SHIFTING CYBER THREAT LANDSCAPE

Turkey been included, it would far overshadow the EU

nations represented. Turkey accounted for a whopping NO SECTOR OF THE ECONOMY IS IMMUNE
77 percent of all targeted malware detections by FROM ATTACK NOT INDUSTRY, NOT
FireEye in Europe.
Germany powerfully demonstrates the changing
GOVERNMENT ANDNOT EVEN THE
cyber environment. Last month, Thyssen Krupp, a NOT-FOR-PROFITSECTOR.
large German industrial conglomerate, disclosed that
technical trade secrets were stolen in a cyberattack
that dated back almost a year. The company filed
a criminal complaint with the German State Office within Europe may lack the capabilities needed to
for Criminal Investigation and stated publicly, It assess andimplement a sophisticated cybersecurity
is currently virtually impossible to provide viable framework to defend against these emerging threats.
protection against organized, highly professional As a result, hackers can take advantage of the disparate
hacking attacks. architecture across the EU.
The type of data being stolen in these attacks
isparticularly revealing. While sensitive personal
information like financial or health records remains WHAT SPECIFIC INDUSTRIES
akey focus, hackers are increasingly targeting higher ARE BEING TARGETED AND HOW?
value data relating to infrastructure systems. Based The vertical industry analysis below reveals which
on FireEyes research, 18 percent of the data that sectors are being targeted with the greatest frequency.
wasexfiltrated through cyberattacks in Europe The three industries that draw the greatest attention
in2016related to companies industrial control inEurope are:
systems, building schematics and blueprints, while Financial Services
a further 19 percent related to trade secrets. Manufacturing
The federated nature of Europe also increases Telecommunications
thepotential cyber risk across the continent. Each EU In the third quarter of 2016, threats accelerated
member state has a different cybersecurity maturity. in particular against manufacturers and telecom
As more and more components of infrastructure operators. Conversely, retailers, a key focus of
are connected to the Internet and the Internet of cyberattacks in the United States, are virtually at the
Things explodes in popularity, certain countries bottom of the list in Europe.

Exhibit 2: TARGETED MALWARE DETECTION ACROSS EUROPE DURING JANUARY SEPTEMBER 2016
NUMBER OF EVENTS

60

45

30

15

0
Energy Entertainment Financial Government High-Tech Insurance Manufacturing Retail Service Service Telecom Transportation
Utilities Media Services Federal Provider Consulting
Hospitality
Q1 2016 Q2 2016 Q3 2016

Source: FireEye|Marsh & McLennan Cyber Risk Report 2017 Cyber Threats: A perfect storm about to hit Europe?

Copyright 2017 Marsh & McLennan Companies 12

MMC CYBER HANDBOOK 2018 WAKE UP TO THE SHIFTING CYBER THREAT LANDSCAPE

In addition, governments are a primary target for in Europe have infected approximately 40 different
hackers across Europe. Indeed, aggregating attacks machines in any given company during the length DWELL TIME UNTIL
against national, state and local governments into a oftheir cyber intrusions. A COMPROMISE IS
single category makes government the number one DETECTED
target in Europe.
To date, there has been an underreporting of cyber
incidents in the EU. Nonetheless, a handful of public
reports reveal significant cyber incidents across the
HOW ARE MOTIVES AND
TACTICS CHANGING?
Hackers come in many forms and differing degrees
469
Days in Europe
continent. In 2016, cyber hackers stole more than ofsophistication. In addition to attacks against critical
$75million from a Belgian bank and $50million
from an Austrian aircraft parts manufacturer through
fraudulent emails mimicking legitimate communications
infrastructure, EU cyber threats are dominated by two
distinct groups: hackers with political goals and hackers
with financial motives.
146
Days
to fool companies into transferring money to a Global Average
hackers account.
In sum, no sector of the economy is immune from IS POLITICALLY MOTIVATED HACKING
attack not industry, not government and not even the ON THE RISE?
not-for-profit sector. Accordingly, we need a mindset, In 2016, FireEye observed numerous nation-state or
particularly between government andindustry, that nation-sponsored intrusions against EU governments,
we are all in this together. and specifically against foreign or defense ministries of
member states. Recently, nation-state sponsored threat
actors have shown strong interest in extending these
COMPANIES IN EUROPE attacks into the political arena.
TAKE 3x LONGER TO DETECT In September 2016, politicians and employees of
CYBER INTRUSIONS political parties in Germany were targeted with a series
FireEye found that companies in the European Union of spear phishing e-mails, purportedly from NATO
take three times longer than the global average todetect headquarters, regarding a failed coup in Turkey and
a cyber intrusion. The regions mean dwelltime the the earthquakes that hit Italys Amatrice region. The
time between compromise anddetection was links to these spurious e-mails contained malware.
469 days, versus a global average of 146 days. Arne Schoenbohm, the head of the German BSI,
The delay in identifying intrusions has profound responded swiftly by warning political parties across
consequences. At a basic level, the notion that the spectrum in Germany that the country needed to
hackers are rooting around in companies networks learn the lessons from the recent elections in the
undetected for 15 months is sobering, as it allows UnitedStates.
ample opportunity for lateral movement within In December, the focus shifted to France. Frances
ITenvironments. National Cybersecurity Agency, known as the ANSSI,
Equally important, dwell times of this length summoned representatives of all political parties to
allow hackers the opportunity to develop multiple a detailed cyber briefing about the threat posed
entry andexit doors. When a company does detect by cyberattacks.
an intrusion, the natural first impulse is to shut
down itssystem to stop the bleeding. Numerous
stakeholders then press the organization and its
management team to get back online and operating.
In this dynamic, FireEye has found that hackers
compromised many organizations in Europe a second THE NOTION THAT HACKERS ARE ROOTING
time within months of the initial breach. Repeated AROUND IN COMPANIES NETWORKS
breaches most often result from the use of unsuitable UNDETECTED FOR 15 MONTHS ISSOBERING,
techniques to hunt initially for attacks within their
environment. Many companies still opt for a traditional
AS IT ALLOWS AMPLE OPPORTUNITY
forensic methodology, only analyzing a handful of FOR LATERALMOVEMENT WITHIN
machines or systems. On average, however, hackers ITENVIRONMENTS.

Copyright 2017 Marsh & McLennan Companies 13

MMC CYBER HANDBOOK 2018 WAKE UP TO THE SHIFTING CYBER THREAT LANDSCAPE

Exhibit 3: RANSOMWARE EVOLUTION AND GROWTH IN EUROPE

This chart depicts a monthly average of the ransomware events that occurred from January to September in 2015 and 2016.
While the number of events varied, the increase in events in 2016 over the prior year is significant and worrisome.
INCIDENTS OF RANSOMWARE INCREASE

30%

25%

20%

15%

10%

5%

0%
January February March April May June July August September

2015 2016
Source: FireEye|Marsh & McLennan Cyber Risk Report 2017 Cyber Threats: A perfect storm about to hit Europe?

Prior to the recent attacks in the US, few would have instead contained malware. Victims are asked to pay
considered political parties and voting machines as the ransom to obtain a decryption key that will then
part of a nations critical infrastructure. With national unlock their systems. As more criminals successfully
elections looming in the Netherlands (March 2017), carry out ransomware attacks, others are enticed to
France (May 2017) and Germany (late 2017), however, try this growing type of malware attack. This form of
the risk posed to the integrity of the electoral process is attack has been particularly prevalent in the health care
all too real. space, with one report contending that 88 percent of
ransomware attacks target the healthcare industry1.

CRIMINAL HACKERS STILL A

DANGEROUS THREAT CONCLUSION
Cyber criminals continue to target organizations and In addition, there has been an increase in targeting
private citizens across Europe to steal information, of corporate executives across Europe to carry out
stage cyber extortion attacks, and steal money through a scam known as CXO fraud or Business E-mail
fraudulent transactions. Compromise. Cyber criminals typically mimic a small
The use of ransomware spiked significantly to mid-size enterprise with international supply chains
in 2016. Victims are asked to pay a ransom in the requiring regular wire transfer payments. Hackers
form of bitcoins. Utilizing malware with names compromise legitimate business e-mail accounts
like Cryptolocker, TorLocker and Teslacrypt, hackers andthen request unauthorized transfers of funds.
encrypt your files and then demand a ransom to
unlock them. In one recent example, a ransomware
variant called Locky targeted users in more than
50countries many of them in Europe. Locky utilized
exploit kits and mass e-mailing campaigns, often seen 1 Solutionarys Security
This article is an excerpt from the FireEye|Marsh & McLennan Engineering Research
with spam. The campaign enticed recipients to open Cyber Risk Report 2017 Cyber Threats: A perfect storm about Team Quarterly Threat
e-mail attachments that appeared to be invoices but to hit Europe? Report, Q2 2016.)

Copyright 2017 Marsh & McLennan Companies 14

MMC CYBER HANDBOOK 2018

ASIA PACIFIC A PRIME

TARGET FOR CYBERCRIME
Wolfam Hedrich, Gerald Wong, and Jaclyn Yeo
MMC CYBER HANDBOOK 2018 WAKE UP TO THE SHIFTING CYBER THREAT LANDSCAPE

A
sia is 80 percent more likely to be targeted by EXPANDING SOURCES
hackers than other parts of the world. The OF VULNERABILITY
number of high profile cyber incidents has risen The rapid spread of internet-enabled devices
in recent years, although we assert that the public sees IoT enables new and more efficient modes of
only a sliver of the real impacts of such incidents. communications and information sharing. AsiaPacific,
Reasons for the relatively higher cyber threat in various aspects, leads in the IoT technology:
potential in Asia Pacific (APAC) are twofold: the growing SouthKorea, Australia, and Japan are among the top
speed and scope of digital transformation, and the five countries, reaping the most benefits from IoT,
expanding sources of vulnerability stemming from according to the 2016 International Data Corporations
increasing IoT connectivity. (IDC) Internet-of-Things Index.
Over time, IoT technology will create and add a
significant fleet of digitally-connected devices, most of
ACCELERATING DIGITAL them originating from APAC China, Japan, and South
TRANSFORMATION IN APAC Korea are constantly looking to smartify all possible
Digital transformation the connection of individuals, consumer electronics, for example.
companies, and countries to the Internet has However, higher interconnectivity through the
emerged among the most transformative means to plethora of IoT devices opened up new means of
ignite sustainable growth. This is most evident in APAC attack, according to William H. Sato, Special Advisor
where strong economic growth in recent years has to the Cabinet Office, Government of Japan. In October
been powered by the rapid adoption of Internet and 2016, one of Singapores main broadband networks
mobile technologies. suffered a severe Distributed Denial of Services (DDoS)
Across the region, a few emerging economies have attack, causing two waves of internet-surfing disruptions
accelerated their digital transformation so rapidly that over one weekend. Investigations revealed the security
they have bypassed certain various stages of technology vulnerability was exposed through compromised IoT
development just over the past few years many people devices, such as customer-owned webcams and routers.
across several Asian countries have leapfrogged from not Such smaller personal IoT devices areincreasingly
having any Internet access at homes to owning multiple targeted since they potentially provide a backdoor into
mobile devices and accessing the Internet. For example, more robust security systems.
estimates from The World Bank indicate 22percent of
Myanmar is now online, compared to less than 2percent
in 2013, opening abundant opportunities for the WEAKER CYBER RISK
domestic consumer market. MITIGATION EFFORTS
In Indonesia, meanwhile, mobile device subscription Despite the ever-present and ever-growing cyber threat
rates were estimated to be higher than the rest of potential in APAC, companies in the region appear less
Asia in 2015 (132 percent vs. 104 percent). The high prepared. A lack of transparency has resulted in low levels
subscription rate was one key driving force propelling of awareness and insufficient cybersecurity investments.
the domestic mobile-money industry annual
e-money transaction values in Indonesia grew almost
to Rp5.2 trillion ($409million) in 2015 from Rp520
billion ($54.7million) in 2009.
Unfortunately, there remains a huge gap in
SURVEY CONDUCTED BY ESET ASIA IN 2015
cybercrime legislations in these countries the lack of REVEALED THAT 78 PERCENT OF INTERNET
awareness and knowledge of basic security makes most USERS IN SOUTHEAST ASIA HAVE NOT
online transactions highly susceptible to digital theft. RECEIVED ANY FORMAL EDUCATION
While the breakneck speed of digital transformation
is generally good news, safeguards must be in place
ON CYBERSECURITY, HIGHLIGHTING
alongside to protect users and sustain the burgeoning THAT MOST PEOPLE IN THE REGION ARE
digital business. OBLIVIOUS TO THEIR CYBER VULNERABILITIES.

Copyright 2017 Marsh & McLennan Companies 16

MMC CYBER HANDBOOK 2018 WAKE UP TO THE SHIFTING CYBER THREAT LANDSCAPE

Exhibit 1: A HIGHER THREAT POTENTIAL

SPEED OF DIGITAL TRANSFORMATION

In 2015/2016 In 2020

More internet users globally 3.7 BN 4.2 BN

growth led by APAC (60%)

Greater interconnectivity
among 4G mobile devices 1 BN
connections
4.7 BN
almost (49%) of the
increase attributed to APAC

Higher mobile network traffic 7 EB/mth 35 EB/mth

APAC accounts for the largest
share of traffic (47%)

ASIA PACIFIC LEADS INTERNET-OF-THINGS (IOT) MARKET

TECHNOLOGY ADOPTION PIONEERS
Japan and South Korea pioneered the adoption of IoT and machine-to-machine technology

Top broadband
(internet) speed 5.6 Mbps
global average
27 Mbps
South Korea

Global IoT connectivity 4.9 BN

units
25 BN
with APAC countributing
8.6 billion

Exponential growth in
IoT market revenue $656 BN $1.7 TN
APAC accounts for the largest
share of traffic (47%)
China and Japan alone account for a quarter of global revenue, followed by the US

Source: Cyber Risk in Asia-Pacific: The Case for Greater Transparency

Copyright 2017 Marsh & McLennan Companies 17

MMC CYBER HANDBOOK 2018 WAKE UP TO THE SHIFTING CYBER THREAT LANDSCAPE

LOW AWARENESS budgets. Furthermore, APAC firms on average spent

A survey conducted by ESET Asia in 2015 revealed that 47 percent less on information security than North
78 percent of Internet users in Southeast Asia have American firms in 2015.
not received any formal education on cybersecurity, The need to combat cyber threat has never
highlighting that most people in the region are been more urgent in the APAC region, and major
oblivious to their cyber vulnerabilities. industries in the region (construction and engineering,
The lack of disclosure regulation has also created the financial, high tech and electronics, for example)
perception that cyberattacks in the region are relatively are especially susceptible to the threats. A series
lower than those reported in the US or Europe, even of recent, highprofile cyberattacks that touched
though Asian businesses are significantly more likely multiple countries and industries across the region have
to be targeted. broughtthe issue to the fore.
Yet, these incidents represent only a handful of all
LOW INVESTMENTS attacks. LogRhythm, a security intelligence company,
The low level of awareness in general leads to an estimated up to 90 percent of APAC companies came
underinvestment of time, finances, and resources in under some form of cyberattack in 2016. A survey by
the technologies and processes needed to combat Grant Thornton revealed that business revenues lost
cyber adversaries. to cyberattacks in APAC amounted to $81.3 billion in
For example, a 2016 Beazley survey found 2015, exceeding those in North America and Europe by
80percent of the surveyed small-medium enterprises approximately $20 billion each.
(SMEs) in Singapore used anti-virus software as their What is worrying is that this is likely only the tip of
main cyber risk management tool, while only 8 percent the iceberg. Cheah Wei Ying, an expert onnonfinancial
allocated more than $50,000 to their cybersecurity risk at Oliver Wyman believes that the majority of

Exhibit 2: CYBERATTACKS IN APAC TIP OF THE ICEBERG?

INDIA BANGLADESH HONG KONG JAPAN
3.2 million debit cards Cyber attackers stole Personal data of 6.4 million 7.9 million individuals
from at least five banks were $81 million from the central children were leaked in personal details were exposed
compromised as cyberattackers bank by hacking into an officials a cyberattack of a digital when Japans largest travel
introduced malware in the computer and transferring toymaker firm agency was compromised
payment services systems the funds to the Philippines

Bitfinex, the worlds fifth

largest bitcoin exchange, had
$65 million worth of funds
stolen by cyber criminals

TAIWAN
16 ATM thieves installed three
different malware programs
into ATMs to steal more
than $2 million

THAILAND SINGAPORE VIETNAM PHILIPPINES

$350,000 from 18 ATMs 850 personnel at the An airline system was breached 68 government websites
belonging to a local savings Ministry of Defense had and the personal information were compromised, including
bank was stolen by individual their personal details stolen, of 400,000 frequent defacement, slowdowns
with malware-equipped in an attempt to access official flyers was leaked online and distributed
ATM card
classified information denial-of-service (DDoS)
Source: Cyber Risk in Asia-Pacific: The Case for Greater Transparency

Copyright 2017 Marsh & McLennan Companies 18

MMC CYBER HANDBOOK 2018 WAKE UP TO THE SHIFTING CYBER THREAT LANDSCAPE

Exhibit 3: DEVELOPMENTS IN DATA PRIVACY AND BREACH DISCLOSURE REGULATIONS

CHINA HONG KONG
Introduced a sequence of legislative reforms The Personal Data (Privacy) Ordinance has
in recent years that seek to ensure stronger been in effect since 1995, but it has not been
data protection strongly enforced
Complex overlay of piecemeal regulations Enforcement has picked up in recent years
as there is no single dedicated regulator, with reported incidents to the Commissioner
rendering it difficult to interpret and implement increasing by 40 percent year-on-year in
2015 and four offenders being convicted
and fined
Hong Kong Monetary Authority, in
THAILAND collaboration with the banking industry,
Drew up a draft data protection bill in 2015, launched the Cybersecurity Fortification
but that has come under criticism for placing Initiative, where the Cyber Resilience
undue responsibility on third-party providers Assessment Framework will be completed
to ensure data privacy by mid-2018
Bill is still in the midst of revisions

VIETNAM
Introduced the Law on Cyber Information
MALAYSIA Security in July 2016, although there are
Introduced Personal Data Protection questions about what constitutes compliance
Regulations in 2013 but only came for many of the standards
into effect in December 2015,
with penalties of up to US$70,000

INDONESIA
No general law on data protection, although
discussions of a draft bill have been in progress
SINGAPORE for over a year
Introduced the Personal Data Protection Act
(PDPA) in 2014 that has a penalty of up to
$800,000
Singapores central bank, the Monetary AUSTRALIA
Authority of Singapore, requires that financial The Privacy Amendment (Notifiable
institutions notify it of any adverse Data Breaches) Bill 2016 was enacted
development Events that could lead in February 2017
to prolonged service failure or disruption,
or any breach of customer information Australian organizations will now have
New standalone Cybersecurity Act to publicly disclose any data breaches,
to be enacted in 2017 to report with penalties ranging from $360,000
incidents and proactively secure for responsible individuals to $1.8 million
critical information infrastructure for organizations

Source: Cyber Risk in Asia-Pacific: The Case for Greater Transparency

cyberattacks in the region usually go unreported as CONCLUSION

companies are neither incentivized nor required to In the regions battle against cybercrime, the most
do so. This lack of transparency underpins APACs critical issue is raising the level of transparency.
susceptibility to cyberattacks.
Apart from selected countries (i.e., Japan,
SouthKorea) and industries (i.e., financial services This article is an excerpt from the report entitled
in Singapore), APAC still lags the West in terms Cyber Risk in Asia-Pacific: The Case for Greater Transparency
of cyber transparency. Organizations are able to
conceal data compromises from regulators and their Wolfram Hedrich, is the Executive Director of
Marsh & McLennan Companies Asia Pacific Risk Center.
stakeholders, dulling the true impacts of cyberattacks
Gerald Wong is a Senior Consultant for Oliver Wyman.
and impeding the threat awareness required to act Jaclyn Yeo is a Senior Research Analyst
against cyber criminals. for Marsh & McLennan Companies Asia Pacific Risk Center.

Copyright 2017 Marsh & McLennan Companies 19

MMC CYBER HANDBOOK 2018

CYBER RISK
ASIA-PACIFIC IN NUMBERS
THE SEVERITY RECENT EXAMPLES IN ASIA
OF CYBERATTACKS
stolen from cyberattack
$81
Hackers are 80% MILLION on a bank in Bangladesh
more likely to attack in May 2016
organizations in Asia

PERSONAL personnel stolen from Singapores

DATA OF defense ministry online database

$81 in business revenues 850

portal in Feb 2017
LOST to
BILLION cyberattacks
6.4 Childrens data stolen in Hong Kong
MILLION hacking of a digital toymaker firm
in Dec 2015

Philippine government
Cyberattacks are ranked 5th 68 websites simultaneously
among Asian top risks and 6th hacked in July 2016

among Global top risks

ASIAN FIRMS LAG IN CHALLENGES FOR FIRMS IN

CYBERSECURITY MANAGING CYBERSECURITY

78% of Internet users in Asia of organizations found it

have not received any education difficult-to-extremely-difficult
on cyber security to recruit cyber talent

Asian organizations take 1.7 times 70% of firms do not

longer than the global median to have a strong understanding
discover a breach of their cyber posture

Asian firms spent 47% less on Primary insurers are reluctant to provide
information security single coverage above $100 million
than North American firms

Source: Cyber Risk in Asia-Pacific: The Case for Greater Transparency

20
MMC CYBER HANDBOOK 2018

THE EQUIFAX BREACH

AND ITS IMPACT ON
IDENTITY VERIFICATION
Paul Mee and Chris DeBrusk
MMC CYBER HANDBOOK 2018 WAKE UP TO THE SHIFTING CYBER THREAT LANDSCAPE

D
oes the Equifax data breach mean that existing processes for confirming the
identity of customers no longer work? Equifax, a leading US credit bureau, has IF ORGANIZATIONS
announced that it suffered a data breach resulting in the exposure of critical FAIL TO PROTECT THEIR
personal and financial data for 143 million Americans. The implications for the affected
consumers are profound. While their credit cards can be re-issued with new numbers, their
CUSTOMERS, THEY WILL
legal names, addresses, social security numbers, and birthdates cannot. EXPOSE THEMSELVES
Equally profound are the implications forcompanies who use information stored by TO LEGAL ACTION AS
credit bureaus as a mechanism for confirming the identity of new andreturning customers. WELL AS POTENTIALLY
At many companies, standard procedures for confirming customer identity involve asking
PUNITIVE RESPONSES
for the last four digits of a social security number (SSN). The safety of this procedure is now
in question and it is reasonable to assume that all these SSNs are now in circulation among
FROMREGULATORS.
fraudsters and for sale on the dark web.
Other standard procedures for confirming identity require the consumer to answer
challenge questions based on the content of their credit files. For example, a consumer
may be asked whether or not they took out an auto loan during the last six months; and if so,
for what type of vehicle. Or, they might be asked to confirm aprior address. These methods
are now far less safe as the underlying information has been hacked. In fact, there is a real
question as to which commonly used identity-confirmation processes are still viable.
Banks, mortgage companies, insurance companies, asset managers, telecommunication
companies, medical and health companies, hospitals and other organizations hold critical
information on their customers, and often their money. These organizations arguably
have a moral and fiduciary obligation to prevent fraudsters from obtaining data and using
it to takeover accounts or open new accounts fraudulently. If organizations fail to protect
their customers, they will expose themselves to legal action as well as potentially punitive
responses fromregulators.
In this challenging new world, we see three imperatives for chief risk officers, chief
security officers, heads ofcompliance and line of business leadership.

SOCIAL SECURITY NUMBERS SHOULD BE CONSIDERED

PUBLICLY KNOWN
Arguably, the safety of using SSNs in authentication has been declining for some years
and certainly since the large data breach of the IRS in 2015. However, the last four digits
of the SSN are still casually assumed to be confidential information in identity verification
processes. Companies need to start relying on information that is truly only known to the
company and its customer.

PROCESSES FOR CONFIRMING CUSTOMER IDENTITY

TO PREVENT ACCOUNT TAKEOVER AND FRAUD
NEED TO BE RETHOUGHT
When considering fraud risk, and procedures for avoiding customer account opening or
takeover by fraudsters, the use of third-party information for identity confirmation is now
arguably much less reliable than ever before. Adapting to this new reality will complicate
many existing processes, especially those that support account password resets because if a
customer cannot access his or her account, you cannot readily confirm identity using past
transaction history (unless the customer has a really good memory!).
The only information that can be used with confidence for identity confirmation is
that which is unique to the consumer and the verifying company. A statistical approach
could be taken that relies on a broad range of different types of information, the totality of
which isunlikely to be available to a fraudster. However, given constant announcements

Copyright 2017 Marsh & McLennan Companies 22

MMC CYBER HANDBOOK 2018 WAKE UP TO THE SHIFTING CYBER THREAT LANDSCAPE

regarding data breaches, even this approach could be challenged, especially in light of
ongoing innovation by fraudsters and other bad actors. A COMPREHENSIVE
Another complexity and practical challenge is that many organizations only encrypt REEVALUATION OF
and protect key data items such as SSNs in their systems, and dont protect the information
that they will now need to use to confirm identity. A comprehensive reevaluation of what
WHAT INFORMATION
information is deemed sensitive and critical across databases and customer support IS DEEMED SENSITIVE
systems needs to be performed and the means determined to protect this information from AND CRITICAL ACROSS
leakage or unauthorized access. DATABASES AND
Today, many organizations use two-factor authentication as a mechanism to protect
against account takeover attempts, phishing, and other fraudulent activities. The most
CUSTOMER SUPPORT
common approach is to leverage a customers mobile phone and a text message to SYSTEMS NEEDS TO BE
confirm identity. It is worth noting that the information that was likely released in the PERFORMED AND THE
Equifax breach (and others) could also be in use supporting identity processes by mobile MEANS DETERMINED
phonecompanies.
TO PROTECT THIS
Using text messages has always been of dubious merit. Mobile phone companies have
themselves had difficulty preventing fraudsters from getting control of their customers
INFORMATION
phones. Given the Equifax breach, the use of text messages to support two-factor FROM LEAKAGE OR
authentication processes needs to be re-examined and alternative approaches implemented. UNAUTHORIZED
One potential new tool that companies can leverage to confirm identity are biometrics, ACCESS.
although their use as a primary mechanism to confirm identity is still in question given the
numerous examples of mobile phone fingerprint readers being spoofed by fakes. Emerging
capabilities to perform facial recognition and iris scanning via mobile phones are worth
watching to see how they can be leveraged but wont address immediate challenges of
confirming identity.

ACCURATELY IDENTIFYING NEW CUSTOMERS JUST GOT

A LOT MORE DIFFICULT
Possibly the most difficult part of authentication takes place when a new customer opens
an account. For complex financial products, this can be less of a concern due to the larger
quantities of information that need to be collected, extensive know-your-customer
processes and the sheer amount of time that opening a new account requires. Yet, as
more and more consumer account opening processes are digitized and the time-to-first
transaction decreases, companies need to redesign the processes by which they confirm
that the new customer truly is the person they claim to be. This is going to be even more
critical for products that allow a customer to establish an immediate liability such as a
shortterm loan, or aim to provide an immediate service for a deferred payment.
Industry organizations such as the FIDO Alliance are attempting to create industrywide
standards and support new solutions to the identity problem. This is all to the good
but in light of the Equifax data breach, it is imperative that each organization perform a
comprehensive audit of its own customer identity processes to ensure they understand where
changes are needed, and also that they are accurately assessing the risks of process failures.
Given the increasing sophistication of attackers, the question is more likely when, not
if you will be attacked and compromised. Too often organizations focus on the potential
for direct losses (fines, litigation and remediation) that result in a customer account being
compromised, and not enough on the reputational damage (impact on brand value and
customer loyalty) that can result from being inadequately prepared for a major incident or
data breach. Paul Mee is a New York-based Partner in Oliver
With these factors in mind, senior executives need to be asking the questions, Wymans Digital and Financial Services practices.
Chris DeBrusk is a New-York based Partner
Are we fully prepared to respond to a large scale information breach? and Oliver Wymans Finance and Risk, CIB, and
How do we protect our customers in the best possible manner? Digital practices.

Copyright 2017 Marsh & McLennan Companies 23

MMC CYBER HANDBOOK 2018

LESSONS FROM
WANNACRYPT AND
NOTPETYA
Tom Burt
MMC CYBER HANDBOOK 2018 WAKE UP TO THE SHIFTING CYBER THREAT LANDSCAPE

O
n May 12th, 2017, the world experienced the entire software platform, including constant updates to
malicious WannaCrypt cyberattack. Starting our Advanced Threat Protection service to detect and
first in the United Kingdom and Spain, the disrupt new cyberattacks. With respect to WannaCrypt
WannaCrypt malware quickly spread globally, blocking and NotPetya, Microsoft released security updates
users from their data unless they paid a ransom. The in March of 2017 that addressed the vulnerability
antecedents of this attack occurred when criminals exploited by the attacks. But we have not stopped
used exploits reportedly stolen from the U.S. National there. Microsoft has been assessing their characteristics
Security Agency (NSA) to develop this malware. By the with the help of automated analysis, machine learning,
first week, 45,000 attacks in nearly 100 countries were and predictive modeling, and then using those
attributed to WannaCrypt, with 45 British hospitals and lessons to constantly improve the security for all of our
other medical facilities being some of the hardest hit. customers.
On June 27th, 2017 just six weeks after These attacks also demonstrate the degree to which
WannaCrypt the NotPetya cyberattack began in the cybersecurity has become a shared responsibility
Ukraine and quickly spread globally by exploiting between technology companies and customers. In
the same stolen vulnerability used in the WannaCrypt particular, WannaCrypt and NotPetya are powerful
attack. This new attack, which in the guise of reminders that information security practices like
ransomware hid malware designed to wipe data from keeping systems current and patched must be a high
hard drives, also had worm capabilities which allowed responsibility for everyone, and it is something every
it to move laterally across infected networks, with top executive should support. Millions of computers
devastating consequences. In Ukraine, for example, were running terribly outdated software or remained
workers at the Chernobyl nuclear plant were forced unpatched months after Microsoft released its March
to manually monitor nuclear radiation when their updates, leaving them vulnerable. In fact, over
computers failed. 10percent of the computers that were successfully
attacked were running Windows XP which was
originally released in 2001. And, no fully-up-to-date
THREE KEY LESSONS TO SURVIVE Windows computer was successfully penetrated. As
THE NEXT WANNACRYPT cybercriminals become more sophisticated, there is
There are three lessons from WannaCrypt and NotPetya simply no way for customers to protect themselves
with relevance for technology companies and their against threats unless they update their systems.
customers, as well as our technology-dependent Finally, these attacks provide additional proof of
societies. First, technology providers like Microsoft why the stockpiling of vulnerabilities by governments
must continue to improve our own capabilities and is such a problem. This was an emerging pattern
practices to protect our customers against major in 2017. As an example, vulnerabilities stored by
cyberattacks. Second, technology companies and intelligence agencies were showing up on WikiLeaks,
their customers must understand that cybersecurity and vulnerabilities reportedly stolen from the NSA have
is a shared responsibility, and that each stakeholder affected technology users around the world. Exploits in
must take the actions necessary to improve security the hands of governments have leaked into the public
in the online ecosystem. Finally, governments must domain and caused widespread damage, including
come together, along with technology companies the most-recent example of an NSA contractor who
and civil society groups, to pave the way for a new compromised sensitive hacking tools by placing
Digital Geneva Convention that will establish information on his home computer. As Microsofts
new international rules to protect the public from
peacetime nation-state threats in cyberspace.
Technology companies have an increasing
responsibility to strengthen their customers TECHNOLOGY PROVIDERS MUST CONTINUE
security. Microsoft is no exception. With more than
3,500 security engineers, Microsoft is working
TO IMPROVE OUR OWN CAPABILITIES AND
comprehensively to address cybersecurity threats. PRACTICES TO PROTECT OUR CUSTOMERS
This includes new security functionality across our AGAINST MAJOR CYBERATTACKS.

Copyright 2017 Marsh & McLennan Companies 25

MMC CYBER HANDBOOK 2018 WAKE UP TO THE SHIFTING CYBER THREAT LANDSCAPE

President, Brad Smith, explained immediately after the and governments to investigate cyberattacks and
WannaCrypt attack, the theft of a nationstate cyber identify those behind them, it must be independent
weapon can lead to economic devastation even more and trustworthy. Trusted, credible attribution of
significant than theft of a conventional weapon, and cyberattacks would give governments not just the
when critical facilities such as hospitals or power grids jurisdiction where a particular victim resides expert
are hacked, can put just as many human lives at risk. information to determine whether to take further action
against the perpetrators. As with other complex and
organized criminal networks, multiple jurisdictions may
WANNACRYPT IS A WAKE UP CALL have information or a stake in uncovering the overall
Clearly, governments of the world should treat crime. Cybercrime is transnational and complex. To
WannaCrypt, NotPetya, and other nation-state this end, the technology sector should work together,
sponsored cyberattacks as a wake-up call. Nationstate and seek the support of other experts in non-profit
conflict which started on the land, moved to the groups, academia, and elsewhere, to create such
sea and found its way into the air has moved to an organization to help deter nation state attacks
cyberspace with governments increasingly using the incyberspace and protect our customers.
internet to hack, spy, sabotage and steal and most
recently, to simply impose economic destruction. This
battle is waged on private property: in the datacenters, CONCLUSION
cables and servers of private companies like Microsoft, WannaCrypt and NotPetya were just two of the major
and on the laptops and devices owned by private cyberattacks this past year, but their origins and
citizens. And increasingly, private companies and impacts should train our attention to more urgent
individuals are finding themselves in the crosshairs. collective action. With help from nation-states,
Nation-states need to take a different approach and attackers are becoming more sophisticated and better
adhere in cyberspace to the same rules applied to funded. Confronting future nation-state sponsored
conventional weapons in the physical world. We need attacks will only become more difficult, and that is
governments to consider the damage to civilians why the tech sector, customers, and governments
that comes from hoarding these vulnerabilities, must work together. In this sense, the WannaCrypt
inadequate protection of them from theft and the use and NotPetya attacks are a wake-up call for all of us.
of these exploits. This is one reason Microsoft called in Microsoft recognizes the responsibility to help answer
February2017 for a new Digital Geneva Convention this call, and is committed to doing its part.
to address these issues, including a new requirement
for governments to report vulnerabilities to vendors,
rather than stockpile, sell, or exploit them.
Moreover, industry must also play a role in enabling
a more secure Internet. Therefore, in the coming
months Microsoft will continue to work across the
technology sector to discuss a set of principles that can
create the foundation for an industry accord outlining
what, as an industry, we will do and what we wont do
all to protect our customers and help law enforcement.
One principle that resonates strongly within the tech
sector is a commitment to assist and protect customers
everywhere, and never to assist in attacking them.
All the norms, rules and agreements in the world
will not matter if attackers cannot be held accountable.
That needs to start with attributing an attack to the
perpetrator, even if it is a state or a state-sponsored Tom Burt serves as
group. While attribution could be collaborative Vice President,
Deputy General
between the public and private sector, drawing Counsel of Digital
on the strengths of both technology companies Trust at Microsoft.

Copyright 2017 Marsh & McLennan Companies 26

MMC CYBER HANDBOOK 2018

THE MIRAI DDOS ATTACK

IMPACTS THE
INSURANCE INDUSTRY
Pascal Millaire
MMC CYBER HANDBOOK 2018 WAKE UP TO THE SHIFTING CYBER THREAT LANDSCAPE

W
e are entering a new era for global insurers, monitoring, and connected vehicles is another key
where business interruption claims are no development. Estimates vary that anywhere from 20 to
longer confined to a limited geography, 200 billion everyday objects will be connected to the
but can simultaneously impact seemingly disconnected internet by 2020. Security is often not being built into
insureds globally. This creates new forms of systemic the design of these products with the rush to get them
risks that could threaten the solvency of major insurers to market.
if they do not understand the silent and affirmative Symantecs research on IoT security has shown the
cyber risks inherent in their portfolios. state of IoT security is poor:
On Friday, October 21st, a distributed denial of 19 percent of all tested mobile apps used to control
service attack (DDoS) rendered a large number of the IoT devices did not use Secure Socket Layer (SSL)
worlds most popular websites inaccessible to many connections to the cloud
users, including Twitter, Amazon, Netflix, and GitHub. 40 percent of tested devices allowed unauthorized
Theinternet outage conscripted vulnerable Internet of access to back-end systems
Things (IoT) devices such as routers, DVRs, and CCTV 50 percent did not provide encrypted firmware
cameras to overwhelm DNS provider Dyn, effectively updates, if updates were provided at all, IoT devices
hampering internet users ability to access websites usually had weak password hygiene, including
across Europe and North America. The attack was factory default passwords; for example, adversaries
carried out using an IoT botnet called Mirai, which works use default credentials for the Raspberry Pi devices
bycontinuously scanning for IoT devices withfactory to compromise devices
default user names and passwords. The Dyn attack compromised less than one percent of
The Dyn attack highlights three fundamental IoT devices. By some accounts, millions of vulnerable
developments that have changed the nature of IoT devices were used in a market with approximately
aggregated business interruption for the commercial 10 billion devices. XiongMai Technologies, the
insurance industry: Chinese electronics firm behind many of the webcams
compromised in the attack, has issued a recall for many
1.The proliferation of systemically of its devices.
important vendors Outages like these are just the beginning. Shankar
The emergence of systemically important vendors Somasundaram, Senior Director, Internet of Things
can cause simultaneous business interruption to large at Symantec, expects more of these attacks in the
portions of the global economy. near future.
The insurance industry is aware about the potential
aggregation risk in cloud computing services, such 3.Catastrophic losses due to cyber risks are
as Amazon Web Services (AWS) and Microsoft Azure. not independent, unlike natural catastrophes
Cloud computing providers create potential for A core tenant of natural catastrophe modeling is that
aggregation risk; however, given the layers of security, the aggregation events are largely independent. An
redundancy, and 38 global availability zones built earthquake in Japan does not increase the likelihood of
into AWS, it is not necessarily the easiesttarget for an earthquake inCalifornia.
adversaries to cause a catastrophic event for insurers. In the cyber world consisting of active adversaries,
There are potentially several hundred systemically this does not hold true for two reasons (which require
important vendors that could be susceptible to an understanding of threat actors).
concurrent and substantial business interruption.
This includes at least eight DNS providers that service
over 50,000 websites, and some of these vendors
may not have the kind of security that exists within
providers like AWS. THERE ARE POTENTIALLY SEVERAL
HUNDRED SYSTEMICALLY IMPORTANT
2.Insecurity in the Internet of Things (IoT) built
into all aspects of the global economy
VENDORS THAT COULD BE SUSCEPTIBLE
The emergence of IoT with applications as diverse TO CONCURRENT AND SUBSTANTIAL
asconsumer devices, manufacturing sensors, health BUSINESS INTERRUPTION.

Copyright 2017 Marsh & McLennan Companies 28

MMC CYBER HANDBOOK 2018 WAKE UP TO THE SHIFTING CYBER THREAT LANDSCAPE

Exhibit 4: DISTRIBUTION OF ATTACKS

34% China

26% United States

9% Russia

6% Germany

5% Netherlands

5% Ukraine

As well as long tail of adversaries from Vietnam, the UK, France, and South Korea.
Source: Symantec

First, an attack on an organization like Dyn will often Develop and hire cybersecurity expertise internally,
lead to copycat attacks from disparate non-state especially in the group risk function, to understand
groups. Symantec maintains a network of honeypots, the implications of cyber perils across all lines
which collects IoT malware samples. Proactively understand whether basic IoT security
Groups, such as New World Hacking, often replicate hygiene is being undertaken when underwriting
attacks. Understanding where they are targeting their companies using IoT devices
time and attention, and whether there are attempts to Partner with institutions that can provide
replicate attacks, is important for an insurer to respond a multidisciplinary approach to modeling
to a one-off event. cybersecurity for insurer including:
Second, a key aspect to consider in cyber modeling Hard data (for example, attack trends across the
is intelligence about state-based threat actors. It is kill chain by industry)
important to understand both the capabilities and Intelligence (such as active adversary monitoring)
the motivations of threat actors when assessing the Expertise (in new IoT technologies and key
frequency of catastrophic scenarios. Scenarios where we points of failure)
see a greater propensity for catastrophic cyberattacks
are also scenarios where those state actors are likely
attempting multiple attacks. Although insurers may CONCLUSION
wish to seek refuge in the act of war definitions that Symantec is partnering with leading global insurers
exist in other insurance lines, cyberattack attribution to develop probabilistic, scenario-based modeling
to statebased actors is difficult and in some cases to help understand cyber risks inherent in their
not possible. standalone cyber policies, as well as cyber as a peril
across all lines of insurance. The Internet of Things
opens up tremendous new opportunities for consumers
WHAT DOES THIS MEAN FOR and businesses, but understanding the financial
GLOBAL INSURERS? risks inherent in this development will require deep
The Dyn attack illustrates that insurers need to pursue collaboration between the cybersecurity and cyber
new approaches to understanding and modeling cyber insurance industries.
risk. Recommendations for insurers are below:
This article first appeared in the
Recognize that cyber as a peril expands far beyond Symantic Thought Leadership Blog
cyber data and liability from a data breach and
could be embedded in almost all major commercial Pascal Millaire serves as Vice President and General Manager,
insurance lines Cyber Insurance, for Symantec.

Copyright 2017 Marsh & McLennan Companies 29

MMC CYBER HANDBOOK 2018

TIME FOR TRANSPORTATION

AND LOGISTICS TO
UP ITS CYBERSECURITY
Claus Herbolzheimer and Max-Alexander Borreck
MMC CYBER HANDBOOK 2018 WAKE UP TO THE SHIFTING CYBER THREAT LANDSCAPE

W
hen Danish shipping giant A.P. Moller-Maersks computer system was
attacked on June 27 by hackers, it led to disruption in transport across the
planet, including delays at the Port of New York and New Jersey, the Port of
Los Angeles, Europes largest port in Rotterdam, and Indias largest container port near
Mumbai. Thats because Maersk is the worlds largest shipping company with
600 container vessels handling 15 percent of the worlds seaborne manufactured trade.
It also owns port operator APM Terminals with 76 port and terminal facilities in 59
countries around the globe.
For the transportation and logistics (T&L) industry, the June 27 cyberattack is a clarion
call to elevate cybersecurity to a top priority. Besides Maersk, press reports said other
transportation and logistics industry giants were affected including German postal and
logistics company Deutsche Post and German railway operator Deutsche Bahn, which
was also a victim of the WannaCry ransomware hack in May.
While up until now hackers have seemed more preoccupied penetrating computer
systems at banks, retailers, and government agencies places where a hacker can find
access to lots of money and data and create substantial disruption the most recent
ransomware attacks demonstrate that the transportation and logistics industry is now on
hackers radars.

T&Ls INCREASED DIGITIZATION

Part of the increased interest in the industry is because of its own efforts to digitize.
Over the past couple of years, the industry has been in the process of automating systems,
turning paper into digits, and using advanced analytics to stay on top of their customers
needs. That has put more systems online and vulnerable to various attack weapons now
so readily available on the Darknet the hidden underbelly of the Internet where
hackers, terrorists, and criminals cavort anonymously buying malware, stolen data,
arms, and drugs.
The early, more obvious targets have upped their game in cybersecurity, and hackers
who are relentless look down the chain for new avenues of entry. Hacking also has LIKE WITH ALL FORMS
become not only a corporate business, but a nation states business. Here, nation states
are looking for places where things are crossing borders regularly and for access to major
OF WARFARE, ATTACKERS
industries and public infrastructure, such as the airports and ports that transportation WILL SEEK OUT THE
and logistics companies operate. WEAKEST LINK IN ANY
The transportation and logistics industry also has characteristics that make it a CHAIN THE MOST
particularly tempting target. First, the industry is a global one with tentacles into so
VULNERABLE ELEMENT
many different industries around the world. Complex logistical chains are created around
manufacturers, and often logistics companies are embedded within production facilities
AS A TARGET. WHY
controlling inventory and handling on-demand needs of a plant. Simultaneously, the STEAL MONEY FROM
industry is fragmented with large transportation and logistical giants working alongside THE BANK WITH ALL ITS
tiny companies responsible for one short leg of a products long journey from raw INFRASTRUCTURE AND
materials, to production, to retailer, to consumer. This almost always means multiple
technology systems are being employed, and multiple cybersecurity procedures of
PROTECTIONS WHEN
various degrees of rigor being followed. This fragmentation provides more opportunities YOU CAN STEAL IT ON
for hackers. THE WAY TO THE BANK?

Copyright 2017 Marsh & McLennan Companies 31

MMC CYBER HANDBOOK 2018 WAKE UP TO THE SHIFTING CYBER THREAT LANDSCAPE

LOOKING FOR THE WEAKEST LINK

Like with all forms of warfare, attackers will seek out the weakest link in any chain NO INDUSTRY WILL
the most vulnerable element as a target. Why steal money from the bank with all its BE ENTIRELY SAFE
infrastructure and protections when you can steal it on the way to the bank? While efforts
FROM THE THREAT OF
to protect it along the way are made, almost any criminal could tell you, it is almost
always more insecure in transit.
CYBERATTACKS. BUT
We already see malware that allows for hacking of delivery robots and parcel lockers. EVERY INDUSTRY MUST
Drones can be hacked as well as autonomous cars, and as these are used more and more DO ITS PART TO AT
for deliveries the potential for hijack increases. Drones could be flown into no-fly zones LEAST MAKE THE JOB
posing the possibility of attacks on planes. When we reviewed the Darknet, we found
personnel data from a major transportation and logistics company, car entry hacks, and
OF HACKERS MORE
means to create fake parcel station identity. DIFFICULT.
Until now, the transportation and logistics industry has not prioritized cybersecurity
except in cases where life was on the line, such as with aerospace manufacturers or
airlines where the most sophisticated protections are used. But the direct costs from
cybersecurity breaches are growing exponentially, and companies even small
ones need to invest in new systems and more comprehensive risk management. By
ourprojections, they can be expected to grow from $1.7 billion in 2015 to more than
$6.8 billion by 2020.

INDUSTRY FRAGMENTATION IN SECURITY SOLUTIONS

The industrys fragmentation and its requirement to operate within the various IT systems
of its customers makes figuring out cybersecurity solutions more challenging and has led
to lower investment. The industry also operates on low margins, making extensive capital
expenditure on cybersecurity unattractive. That may be offset by the potential liability
costs from hacks.
Increasingly, shippers and regulators will require transportation and logistics
companies to guarantee the integrity of product and transport data, as well as ensure
compliance with stricter cybersecurity laws. This will include carriers and forwarders,
who are assuming central roles in supply chains as hubs for data exchange, making them
high-value targets.
Taking precautions by installing security systems, such as firewalls and detection
systems for denial of services attacks and other malware, is crucial, but insufficient by
themselves. Cyber risk management also needs to take into account personnel and
organization failure.
Ultimately, adopting proactive cybersecurity risk management provides an
opportunity for transportation and logistics companies to differentiate themselves.
Forward-looking companies will begin to see a safer logistical offering as a competitive
This article first appeared in Forbes on
advantage, especially if attacks continue. June 28, 2017.

Claus Herbolzheimer is a Berlin-based partner

CONCLUSION in Oliver Wymans Digital practice.
Max-Alexander Borreck is a Munich-based
In the end, no industry will be entirely safe from the threat of cyberattacks. But every Principal in Oliver Wymans Transportation and
industry must do its part to at least make hackers jobs more difficult. Logistics practice.

Copyright 2017 Marsh & McLennan Companies 32

MMC CYBER HANDBOOK 2018 WAKE UP TO THE SHIFTING CYBER THREAT LANDSCAPE

ARE MANUFACTURING
FACILITIES AS SECURE AS
NUCLEAR POWER PLANTS?
Claus Herbolzheimer and Richard Hell

W
ith 100,000s of non-Internet IP addresses, But that is only true if classic cybersecurity principles
cybersecurity means more than internet developed for the IT world are transferred into the
security. As companies leverage more and industrial automation and cyber-physical systems
more intelligent sensors and cyberphysical systems world of production and control systems. If, say,
to aggregate data for algorithms that will control and a manufacturing plants system is breached and
maneuver machines, they increase the level of cyber negative events begin to cascade, you need a
risk. Physical machines and tools or robots that were control mechanism that will either disconnect the
once confined by the four walls of a manufacturing plant, system or put you in a safe mode so you can
are now vulnerable to outside forces. continue to operate at a reduced level until the
Imagine if a malevolent outsider were to find a way problem is isolated and corrected. Just like a nuclear
to change the value of one or more sensor devices, power plant.
triggering a chain reaction. In a chemical plant, it could Going forward, engineers need to change the way
change temperature or pressure settings and spark a they develop products, and physically embed security
cascade of negative events, possibly an explosion. In in product design. Imagine producing and installing
an automotive plant, it could force robots to go wild, hundreds of thousands of vulnerable devices in
or, even worse, covertly embed malware during the cars. What does it mean, from an architectural or
automated flashing process into autonomous vehicles. infrastructure perspective, to make a sensor or any
other IP device, secure? What is the next level of
data security?
MANUFACTURING PLANTS Companies need to manage the transition from
ARE VULNERABLE a physically controlled environment to a digital
Nuclear power plants and utility grids have layer environment. They need to develop policies to protect
upon layer of cyber measures in place, including air and monitor their systems, and to react and minimize
pockets with neither direct nor indirect internet damage when they are breached. They need to apply
connections, and defense mechanisms that shut or decentralized resilience to standards and rules so
slow down activity if any abnormality is detected. But that intelligent systems stop connecting with each
corporate manufacturing plants typically dont think in other and lock into safe mode when abnormalities
those terms, even though they may now have hundreds are detected.
of thousands of potentially insecure, nonInternet IP Claus Herbolzheimer
addresses that are susceptible to hackers. is a Berlin-based
The more open the ecosystem, of course, the greater CONCLUSION partner in
Oliver Wymans
the danger. Manufacturers of autonomous vehicles, Given the proliferation of non-internet IP addresses in
Digital practice.
for example, are unleashing products designed to the manufacturing world, private-sector companies Richard Hell is
interact with other vehicles and a variety of connected should transfer the classic principles of multiple, a Munich-based
roadside devices into an open environment more redundant safety mechanisms and cybernetic control Vice President in
Oliver Wymans
susceptible to hacking than a more closed ecosystem systems of high-resiliency industries to the field of Manufacturing
like the manufacturing plant itself, at least in theory. cybersecurity in manufacturing. Industries practice.

Copyright 2017 Marsh & McLennan Companies 33

PREPARE FOR
EMERGING
REGULATIONS
MMC CYBER HANDBOOK 2017

PERCENTAGE OF
RESPONDENTS AT EACH
LEVEL OF GDPR COMPLIANCE
We asked these questions
1. What progress has your organization made toward GDPR compliance/readiness?
2. Does your organization conduct the activities listed above in the European Union
or otherwise process personal data of European Union citizens (e.g., names, unique
IDs, email addresses or credit card information of customers or employees in the
European Union)?

And the results were as follows

57%

8% 11%

We are fully We are developing We have not

compliant/prepared our plan for GDPR developed or are not
compliance planning to develop a plan
for GDPR compliance

21%
3%
I do not know Other
Source: 2017 Marsh | Microsoft Global Cyber Risk Perception Survey

35
MMC CYBER HANDBOOK 2018

THE GROWING I
n the recent past, there have been
three major cyber-related regulatory
developments in the US these

WAVES OF CYBER include the Advanced Notice of Proposed

Rulemaking on Enhanced Cyber Risk
Management Standards (ECRM ANPR),

REGULATION the Cybersecurity Requirements for

Financial Services Companies issued by the
New York Department of Financial Services
(NY DFS) and the revised version of the
Paul Mee and James Morgan FFIEC Information Security Handbook.
As has been reported broadly and
discussed in many industry forums,
these regulatory documents present
some of the most prescriptive cyber risk
management requirements to date and
include substantial new requirements for
an enterprise-wide view of cybersecurity.
MMC CYBER HANDBOOK 2018 PREPARE FOR EMERGING REGULATIONS

We will not present a detailed summary of these

regulations, but rather will synthesize the major points WHAT WILL NEED TO BE REFINED AND
where we believe the regulations impose new and ENHANCED IS THE ALIGNMENT OF
challenging pressures.
CYBER SURVEILLANCE WITH THE CYBER
RISK PROFILE AND RISK APPETITE OF
TOP-TO-BOTTOM CASCADING THE INSTITUTION.
OF CONTROL
Consistent with other prominent regulatory programs,
cyber regulations establish an expectation of direct
oversight by the Board of Directors based on policies, residual cyber risk. Continuous monitoring of such
standards, and procedures articulated by management. aggregated information will require significant effort
Once a comprehensive cyber risk management from organizations as they will need to design relevant
strategy is defined and implemented, organizations metrics at different levels and make significant changes
need to continuously monitor their effectiveness and to their business processes across functions to include
measure their alignment with business priorities. cyber risk in consistent ways.
Regulators want to enforce this philosophy by requiring Requirements for certification or attestation of
firms to identify and assess all the activities and compliance to internal policies, procedures, and
exposures that present cyber risk, and subsequently regulatory standards will require further process
aggregate them to evaluate the enterprise-wide definition and accountabilities clarification.

Exhibit 1: SELECT SPECIFIC PRACTICAL EXPECTATIONS

In combination, FFIEC, ANPR, and NYDFS requirements entail a substantial increase in regulatory expectations for information
management and security
SOURCE
CATEGORY NOTABLE EXPANSION OF REGULATORY EXPECTATION FFIEC ECRM NYDFS

Scope breadth Scope of Non Public Information (NPI) still unclear, but can be interpreted as significantly
and depth broader than Non Public Personal Information

Integration of Information Security into risk culture and decision-making

Prescriptive governance document requirements
Strategy and
governance
Board-approved, enterprise-wide cyber risk appetite and risk tolerances
Board-approved, written, enterprise-wide cyber risk management strategy
Annual Board certification of compliance and annual Board reporting

Integration of Information Security into third party risk management program

Integration of Information Security into the Lines of Business (LoBs) and support functions
Framework
Integration of Information Security into enterprise risk management framework
Specific testing/assessment requirements (e.g., bi-annual vulnerability assessment)

Responsibility for cyber risk management across three independent functions

Operating
model
Mandated Chief Information Security Officer (CISO) role
Specific guidelines to be included in policies governing third-party cybersecurity

Two-hour recovery time objective for sector-critical systems

Infrastructure Quantification and aggregation of cyber risk with consistent, repeatable methodology
and
capabilities Specific data protection requirements (e.g., multi-factor authentication)
Maintenance of five-year audit trail for material financial transactions

Source: Oliver Wyman analysis

Copyright 2017 Marsh & McLennan Companies 37

MMC CYBER HANDBOOK 2018 PREPARE FOR EMERGING REGULATIONS

MULTIPLE LINES OF of effort, diffusion of expertise, or a blurring of

MANAGEMENT DEFENSE accountabilities. An organizations ability to effectively
Financial institutions have already been extending define and deploy their Lines of Defense will be critical
the Three Lines of Defense model to cyber risk in accelerating their readiness to monitor their primary
management, drawing on experience from other areas assets and respond in the event of a cyberattack.
of risk management. Regulators appear to be making
such a model a formal requirement without specifying
all expectations. INSTITUTIONAL AND SYSTEMIC
ECRM specifically suggests increased responsibilities RESILIENCE
for business lines, Audit, an independent Risk function, The new regulation is clearly oriented towards
and the Board. Starting from the base of the Three establishing greater institutional resiliency in being
Lines of Defense model, business units and technology able to detect and manage inevitable cyberattacks
still form the First Line of Defense. However, business through a more explicit risk-based approach.
units now face the added responsibility of identifying Further, there is a push towards promoting
activities that contribute to cyber risk and measuring resiliency of the financial services system through
cyber risk on a continuous basis. In addition, business regulation a rationale for the imposition of
units will be required to frequently conduct assessments controls to prevent interconnected institutions from
to evaluate the cyber risk across their activities and negatively impacting each other and the financial
report them to the independent risk management system more broadly. We can expect this to lead to
function and senior management. common checklists, standard reporting, regulatory
Regulators are favoring the CISO role reporting to submissions, etc., all aimed at establishing a level of
the Risk function implying a change in the interaction certainty or confidence across the financial services
model where the historical reporting line of a CISO sector. Such reviews would certainly be more intrusive
was to the Chief Information Officer (CIO). The new and subjective similar to qualitative aspects of
paradigm expects a CISO to drive the execution of CCAR reviews where fundamental risk management
cyber risk management strategy from top-down with capabilities have been questioned.
an enterprise wide remit. At the same time, the CISO The more traditional approach to cybersecurity has
also needs to focus on identifying, measuring, and focused on strengthening the perimeter by investing in
managing the cyber risk at a business activity level a broad spectrum of sophisticated technical capabilities
with front line business unit management and the and process controls across the organization. However,
technology organization. as recent regulation has identified, this approach
In addition to strengthening the role of business has become less effective because organizations do
units and elevating the cyber risk function and CISO always not have a clear understanding of their cyber
to the enterprise level, regulators are also prescribing adversaries and their related motives. In addition, cyber
that Audit play an elevated role. The Audit function adversaries constantly evolve their attack methods and
has been traditionally responsible for conducting an vectors. What will need to be refined and enhanced is
independent assessment regarding cyber risk controls the alignment of cyber surveillance with the cyber risk
compliance. Going forward, Audit teams will be profile and risk appetite of the institution. In addition,
required to assess whether the established Cyber the scope of surveillance will need to broaden and
Risk management strategy is appropriate for the deepen as firms seek to confirm internally that cyber
nature of the business, strategic objectives, and the risk mindfulness is present and sufficiently effective
board-approved residual cyber risk goals. throughout the organization.
While the roles of business units and IT as the First
Line of Defense and Audit as the Third Line of Defense
are consistent across the industry, the design of the EXPANDED VIEW OF THE ATTACK
Second Line of Defense (made up of the CISO and the SURFACE TO INCLUDE THIRD PARTIES
enterprise risk function) still varies. The role of the CISO One of the prominent features of the proposed
and the definition of second line risk oversight will regulations is the expansion of the notion of situational
likely become an important area for achieving further awareness. As a corollary of the risk-based approach
organizational clarity, and an important one to get right to cybersecurity, the scope of situational awareness
to ensure effectiveness of activities without duplication has expanded beyond organizational boundaries.

Copyright 2017 Marsh & McLennan Companies 38

MMC CYBER HANDBOOK 2018 PREPARE FOR EMERGING REGULATIONS

Keeping the interconnectedness of the financial sector

in mind, regulators want financial institutions to INCREASINGLY, ADVERSARIES ARE
think carefully about the impact they can have on EXPLOITING THE ELECTRONIC ACCESS
the rest of the financial sector while managing the
CONSUMERS, CORPORATES, AND OTHERS
cyber risk they face from external dependencies and
third-party relationships.
HAVE VIA THEIR MULTI-CHANNEL, MULTI-
Regulators are also expecting institutions to expand DEVICE CONNECTIONS TO FINANCIAL
the view of cyber threats to fully consider third parties INSTITUTIONS.
(including vendors, partners and peers in the network)
both in terms of vulnerabilities that could undermine
critical services they provide to regulated financial
institutions and the potential for them to be the insistence on multiple lines of governance and
weak point of defense through which cyberattackers control, an institutions cyber program needs to be
infiltrate the critical systems of a financial institution. broader than the IT or Risk organization, with clear
Practically, it is also important to understand the linkages to the institutions strategy and controls.
nature of third-party access. Increasingly, adversaries Policies and procedures are one form through which
are exploiting the electronic access consumers, cyber considerations are meant to be promoted
corporates, and others have via their multi-channel, through institutions, with accompanying training and
multi-device connections to financial institutions. positioning of specialized personnel in various parts of
In these arrangements, an institution needs to look the organization also suggested.
at methods to help protect the customer as both a Choreographing the interactions of standards
means to protect themselves and demonstrate client and procedures, their enforcement, and the various
support and due care. accountabilities throughout the organization in a
Considering the cyber exposure of the many consistent manner will be particularly difficult.
third parties is critical, but this also exponentially We can expect that the Board, senior executives,
increases the complexity of the problem for financial all the way down to front line supervisors, will seek
institutions. Many organizations struggle to scale up evidence that policies, procedures, training, and
their Information Security and IT Risk assessment and expertise are effectively resulting in a much broader
monitoring processes to keep up with the proliferation understanding of cyber aspects of the business which
of third party vendors and partners within their is a significant change for a risk type that is not
ecosystem (and further, to deal with providers intuitive for many, nor is an existing element of their
to these third parties, typically defined as fourth day-to-day operations.
parties). The scoping of regulation to the largest
institutions creates room for potentially unregulated
contractors, vendors, and clients who have some CONCLUSION
degree of interface with enterprise systems to create The new and emerging regulations are a clear directive
transmission vectors. to financial institutions to keep cyber risk at the center
Organizations will need to carefully evaluate the of their enterprise-wide business strategy, raising
cyber resiliency of their overall ecosystem in the the overall bar for cyber resilience. The associated
broadest sense and lay the necessary groundwork directives and requirements across the many regulatory
with key vendors, allies, and partners to address bodies represent a good and often strong basis for
weak links in their overall business supply chain. cyber management practices but each institution will
need to further ensure that they are tackling cyber risk
in a manner fully aligned with the risk management
INTEGRATED, PROGRAMMATIC strategy and principles of their firm.
This article is an
APPROACH TO CYBER RISK excerpt from the
Cyber regulation is focused on defining a distinct Oliver Wyman report
cyber defense program, that can be identified and entitled Deploying A
Paul Mee is a New York-based Partner in Oliver Wymans Cyber Risk Strategy:
documented for supervisors, and establishing
Digital and Financial Services Practices. Five Key Moves
a cyber risk management strategy that will provide James Morgan is a New York-based Partner in Oliver Wymans Beyond Regulatory
guidance to all business activities. Given regulatory Digital and Financial Services Practices. Compliance

Copyright 2017 Marsh & McLennan Companies 39

MMC CYBER HANDBOOK 2018

REGULATING
CYBERSECURITY IN THE
NEW YORK FINANCIAL
SERVICES SECTOR
Aaron Kleiner
MMC CYBER HANDBOOK 2018 PREPARE FOR EMERGING REGULATIONS

R
egulation of cybersecurity practices is a to craft cybersecurity regulations. Specifically, three
challenging process, especially when local areas of the Departments focus should inform the
regulations can have global ramifications. development and growth of cybersecurity regulations:
There is a strong argument that prescriptive mandates First, the Departments emphasis on having
can interfere with security professionals agility in appropriate organizational infrastructure in-place
a highly-dynamic environment, or slow the pace of to manage cybersecurity risk on an ongoing basis;
innovation and negatively impact economic growth. Next, the Departments recognition of how a
However, there is a compelling counterargument that risk-informed approach enables appropriate
certain standards should be followed and minimum cybersecurity investments; and
requirements set so that organizations meet a baseline Finally, the Departments reliance on a narrow
level of cybersecurity protection, which can help protect set of proven cybersecurity tools as mandatory
societal values surrounding consumer protection and requirements to protect regulated entities and
even public safety. their customers.
The essence of the regulatory challenge is not Building an organizational infrastructure for
to choose sides, but rather how to make progress cybersecurity risk management means more than
against several goals concurrently: empowering protecting a network perimeter or investing in
security practitioners and supporting innovation while cutting-edge tools. Having effective leaders positioned
ensuring baseline protections and advancing societal in appropriate roles is equally as important as the
goals. Regulators have recently demonstrated an processes they implement or technologies they
increased understanding and willingness to embrace leverage, and the Departments approach reflects this
this approach, often in collaboration with stakeholders reality. For example, the Departments requirement
from within regulated communities and others who that organizations have a Chief Information Security
would support their compliance. These regulatory Officer with responsibility for the organizations
development processes bear some characteristics of Cybersecurity Program, as well a mandate to inform the
the multistakeholder model that has underpinned Board of Directors, reflects a vision for cybersecurity
Internet governance dialogues for many years, in which risk management that is inherent to the organizations
a diverse group of representative communities engage internal functions. In addition, the Department
collaboratively to address shared issues. appropriately emphasizes keeping cybersecurity
professionals current with trends and best practices by
requiring organizations to provide ongoing education.
NEW TEMPLATE FOR The Departments approach also reinforces the
CYBERSECURITY REGULATION centrality of a risk-informed approach to cybersecurity.
The cybersecurity regulation issued by the New York The regulation positions an organizational Risk
Department of Financial Services (the Department) was Assessment as a key input into the Cybersecurity
developed through an open consultative process and, Program, and further mandates risk assessments
as a result, has the potential to create an appropriate when engaging Third Party Service Providers.
level of cybersecurity readiness without compromising However, the regulation does not prescribe a
security professionals agility or organizational particular model or framework to assess risk,
capacity for innovation. Microsoft provided input which empowers organizations to make their own
to the Department when the regulation was under determinations about their risk appetite. Given the
development as part of our ongoing engagement
with global financial services regulators to share
perspectives on cloud computing and best practices for
cybersecurity risk management. With implementation
now underway across regulated institutions, Microsoft HAVING EFFECTIVE LEADERS POSITIONED
continues to partner with organizations to support IN APPROPRIATE ROLES IS EQUALLY AS
compliance and determine the best approaches to IMPORTANT AS THE PROCESSES THEY
address regulatory requirements.
There are several elements of the Departments
IMPLEMENT OR TECHNOLOGIES THEY
rule that should serve as examples, or at least helpful LEVERAGE, AND THE DEPARTMENTS
reference points, for other regulators considering how APPROACH REFLECTS THIS REALITY.
Copyright 2017 Marsh & McLennan Companies 41
MMC CYBER HANDBOOK 2018 PREPARE FOR EMERGING REGULATIONS

broad range of cybersecurity guidance available

to critical infrastructure organizations, like the ORGANIZATIONS MAY HAVE THE
NIST Cybersecurity Framework, the Departments COMPETENCE AND RESOURCES TO
non-prescriptive formula helps to avoid duplication
of existing and relevant risk assessment tools that
IMPLEMENT THESE REQUIREMENTS ON
organizations can use. THEIR OWN, BUT OFTEN THE EXPERTISE
The Department is prescriptive in some respects, DOES NOT RESIDE IN-HOUSE OR THE BUDGET
but these prescriptions often reflect practices that WILL NOT ACCOMMODATE ALL NECESSARY
should be implemented regardless of whether they
INVESTMENTS.
are required by law. Use of multifactor authentication,
encryption, vulnerability assessments, penetration
testing, and similar measures set forth in the
regulation are recognized as effective. To the extent
that cybersecurity practices should be mandated, inevitably draw considerable interest from malicious
the Departments approach reflects what many actors determined to assess vulnerabilities across the
practitioners would likely require themselves. financial sector. Indeed, the incident data reported to
Nonetheless, proper configuration and other the Department could significantly enable attackers if
implementation details are essential to whether not protected properly.
these requirements have a meaningful impact on For technology providers and their regulated
cybersecurity. For example, not all encryption is customers, the regulations offer a unique opportunity to
created equal, and organizations should ensure that begin the journey towards a world where cybersecurity
they are not using outdated algorithms like SHA-1. is regulated in new ways by different regulatory actors.
Many observers of the cybersecurity policy space would
not have anticipated that a state financial services
CLOUD COMPUTING AS regulator would be among the first to develop and
COMPLIANCE ENABLER enforce new cybersecurity rules. Moreover, the same
Cloud computing offers a unique model for observers may not have immediately grasped that
organizations to manage compliance with the regulations implemented in New York would effectively
regulation, particularly in its more prescriptive have global resonance, but the concentration of
aspects. Organizations may have the competence globally-significant financial institutions expands the
and resources to implement these requirements on Departments impact.
their own, but often the expertise does not reside
in-house or the budget will not accommodate all
necessary investments. In other cases, organizations CONCLUSION
simply may not want to take on all the work to make Microsoft looks forward to continued dialog with
their on-premise deployments compliant. Because the stakeholders across the public and private sectors
regulation allows for technology outsourcing subject to drive the development of cybersecurity policy.
to appropriate controls, organizations have the option The Departments new rules will certainly move
to leverage cloud services while remaining compliant this dialogue forward and provide learnings about
with the regulation. how to strengthen cybersecurity readiness without
Looking ahead, a major test facing the Department compromising security practices flexibility or
will be the incident reporting requirement. Such opportunities for innovation.
reporting has high potential for distorting the
signal-to-noise ratio; the Department may need to
help inform decisions about which incidents are
truly material to regulated organizations as well
as offer insight into whether reported incidents
provide guidance about effective cyber defenses or
attacker behavior. Moreover, the Department must
demonstrate that it can securely manage the incident Aaron Kleiner serves as the Director for Industry Assurance
data reported through its new online portal, which will and Policy Advocacy for Microsoft

Copyright 2017 Marsh & McLennan Companies 42

MMC CYBER HANDBOOK 2018

THE REGULATORY
ENVIRONMENT IN EUROPE
IS ABOUT TO CHANGE,
AND PROFOUNDLY
FireEye | Marsh & McLennan Companies

W
hile the front pages of the Wall Street EU GENERAL DATA
Journal, USA Today and the New York PROTECTION REGULATION
Times regularly feature reports of Jan Philipp Albrecht, a member of the European
breaches against US-headquartered companies, Parliament from Germany and the Rapporteur for the
the situation appears on the surface to be blissfully GDPR, captured the awesome aspirations of European
different in Europe. It is exceedingly rare that Der policymakers in approving this new regulation:
Spiegel, Le Monde or Corriere della Sera carry The GDPR will change not only the European Data
accounts of high-profile breaches against large protection laws but nothing less than the whole world
European companies. as we know it.
Why is that? The fundamental difference in the Albrechts comment reflects the strength of the
two continents is that in the United States, more than belief in Europe that privacy constitutes a fundamental
50 federal, state and local laws mandate disclosure of human right.
cyber breaches to regulators or affected consumers. With the growth of Internet-related technology,
Until recently, the regulatory regime in Europe was companies have accumulated troves of personal data.
far different. Business procedures have typically been focused on
That is about to change profoundly. With the aggregating broad categories of data gleaned from
recent passage of the European Unions General Data consumers. Fearing the impact to the privacy rights
Protection Regulation (GDPR), companies will soon be of individuals, the European authorities are now
required to publicly disclose data breaches to national strengthening privacy law to control, limit and
data protection authorities and, where the threat of expose the sweeping collection and use of data by
harm is substantial, to affected individuals. Failure to many organizations.
do so could result in fines of as much as four percent
of a companys global turnover a staggering sum.
This sea of change in the public reporting obligations
of companies will carry significant ramifications for
governments, businesses and consumers across THE GDPR WILL CHANGE NOT ONLY THE
Europe. In addition, the Network Information Security
Directive, adopted by the EU in July 2016, will place
EUROPEAN DATA PROTECTION LAWS BUT
further demands on governments and the operators NOTHING LESS THAN THE WHOLE WORLD
of critical infrastructure. AS WE KNOW IT.
Jan Philipp Albrecht
MMC CYBER HANDBOOK 2018 PREPARE FOR EMERGING REGULATIONS

Once implemented in May 2018, the GDPR will In practice, the broad jurisdictional provisions signal
introduce a seismic shift in how companies retain a clear hope that the GDPRs complex regulations will
and utilize personal data of individuals subject to have a global impact.
the EUs jurisdiction. To prepare for implementation,
companies must begin assessing the current state of
their operations and the sweeping breadth of the PRIVACY IMPACT ASSESSMENTS
new requirements. Businesses can expect both regulatory authorities and
While the regulation is nearly 90 pages long, there individuals to make inquiries about how data is being
are four broad themes that are worth emphasizing: processed. Individuals can object to any data collection
Individuals will have enhanced rights. made without an adequate basis and can demand
Companies will be forced to reassess the manner in correction of inaccurate information. Organizations
which they process and retain data. must perform so-called data impact assessments
Companies will need to review their contractual prior to collecting data. The GDPR provides guidance
arrangements with a host of third parties. on practices to protect data, such as de-linking data
Companies will be held to far stricter accountability from identities (pseudonymisation), encryption,
and sanctions. regular assessments of technical controls, and incident
response plans that account for maintaining the
confidentiality and integrity of data.
SWEEPING JURISDICTION
The GDPR purports to extend its reach far beyond the
borders of the European Union to any organization AFFIRMATIVE CONSENT AND THE
that might collect or process personal data of an RIGHT TO BE FORGOTTEN
individual subject to EU jurisdiction (known as EU The GDPR makes clear that no company may collect
data subjects). Extending data protection beyond personal data without first notifying users of how their
EU borders reflects the EUs view that data privacy data will be stored, protected and shared with third
protections should apply wherever data may travel. parties. In order to collect data, the company must first

Exhibit 1: COMPONENTS OF GDPR IMPLEMENTATION

Security breach notification Extra-territorial reach over EU data

Data impact assessment ENHANCED Individual right

ENFORCEMENT
fines as high as 4%
of global revenue

Restriction on secondary users Data privacy officers

Notice and consent

Source: FireEye|Marsh & McLennan Cyber Risk Report 2017 Cyber Threats: A perfect storm about to hit Europe

Copyright 2017 Marsh & McLennan Companies 44

MMC CYBER HANDBOOK 2018 PREPARE FOR EMERGING REGULATIONS

obtain the individuals freely given, specific, informed

and unambiguous consent for the collection. The WITH THE THREAT ENVIRONMENT
GDPR will require users to give consent by affirmatively INTENSIFYING AND THE REGULATORY
clicking on a consent notice or opting for specific
ENVIRONMENT ABOUT TO CHANGE
technical settings that allow for the data collection.
Lastly, the GDPR codifies the right to be forgotten.
PROFOUNDLY, THE QUESTION BECOMES
Already recognized by European courts and some WHETHER INDUSTRY AND EVEN
member states, the right to be forgotten allows data GOVERNMENT ARE READY FOR
subjects to demand that their personal data be erased THESE CHANGES.
and no longer used for processing.
So that is the dramatically altered regulatory
regime that will begin to take effect in early 2018.
What insight do we have about how sweeping its
impact will likely be? Marsh surveyed the cyber practices at more than 750
of its clients across continental Europe in the fall of
2016. The study found that while high-profile events,
THE DUTCH MINI-GDPR government initiatives, and legislation have pushed
This is where the Dutch mini-GDPR comes into cybersecurity to the forefront, far more work needs to
play. After a series of cyberattacks in 2015, the Dutch be done.
Parliament passed a Personal Data Protection Act, For example, Marsh found that the percentage
known as the Wet Bescherming Persoonsgegevens of companies indicating that they assessed key
(WBP), in late 2015. In the time since the Dutch suppliers for cyber risk actually decreased from
mini-GDPR took effect on January 1, 2016, companies 23 percent in 2015 to 20 percent in 2016. As numerous
have already notified the Dutch authorities of more than attacks in the US and elsewhere have shown, hackers
5,500 cyber incidents. Extrapolating these figures often gain access to larger organizations by initiating
across the EU gives a glimpse of what management will attacks against smaller vendors that provide services
likely confront in response to inquiries from regulators, like air conditioning or takeout food.
supervisory boards and the press. General awareness of the risk posed by
cyberattacks, while increasing, remains low. The
percentage of companies that report having a strong
NETWORK INFORMATION understanding of their cyber posture increased from
SECURITY DIRECTIVE 21 percent in 2015 to 31 percent in 2016. Similarly,
To enhance focus on the specific vulnerabilities companies that regard cybersecurity as a top-five risk
regarding critical infrastructure, the EU separately increased from 17 percent in 2015 to 32 percent in
enacted the Network Information Security (NIS) 2016, and the percentage of organizations that did
Directive. Also scheduled to take effect in 2018, the not even include cyber on their risk register dropped
NIS Directive will impose additional obligations on EU from 23 percent in 2015 to 9 percent in 2016.
member states and infrastructure operators to raise
the baseline of their cybersecurity capabilities. For
example, the NIS Directive will require all member CONCLUSION
states to have a cybersecurity strategy, a national Despite this progress, European companies, like their
competent authority, and national cybersecurity counterparts around the world, have a long way to go
incident response teams. to keep pace with the dramatically changing threat and
Several EU nations have already demonstrated regulatory environments.
early leadership. For example, Germany announced
the creation of a mobile Quick Reaction Force as
part of its Federal Office for Information Security.
Businesses can expect both regulatory authorities
This article is an excerpt from the
and individuals to make inquiries about how data is FireEye|Marsh & McLennan Cyber Risk Report 2017
being processed. Cyber Threats: A perfect storm about to hit Europe?

Copyright 2017 Marsh & McLennan Companies 45

MMC CYBER HANDBOOK 2018

CYBERSECURITY AND
THE EU GENERAL DATA
PROTECTION REGULATION
Peter Beshar
MMC CYBER HANDBOOK 2018 PREPARE FOR EMERGING REGULATIONS

T
he countdown has begun. In less than a year, tough new rules on data protection
will come into effect in the European Union. For the first time, companies will be
required to notify regulatory authorities, and potentially consumers, in the event
of a significant cyber breach. In elevating the rights of consumers, the EU General Data
Protection Regulation (GDPR) represents a sea of change in how companies will have to
operate and many are not ready.

NEW CYBER REGULATIONS WITH BROAD IMPACTS

Oliver Wyman, one of the Marsh & McLennan Companies, predicts that fines and penalties
in the first year alone may total 5 billion, or more than $6billion, for FTSE100 companies.
Adherence to GDPR requirements will require senior management and not solely IT
departments to assume greater responsibility for cybersecurity.This shift means more
than drafting a new organizational chart. It represents a profound transformation in how
industries retain, use, and manage data and how leaders understand, mitigate, and
respond to cyber intrusions.
To compound matters, the WannaCry worm showed just how vulnerable companies
are. In the span of 48hours, the WannaCry malware infected more than 300,000computers
across multiple continents. The attack provides a glimpse into a dark future, where
cybercriminals operate with growing ease and impunity. Given the array of hacking tools
reportedly stolen from the US National Security Agency in April, experts believe that more
variants of WannaCry will be deployed shortly.
As the cyber threat landscape grows more complex, European regulators are not alone in
mandating greater accountability at the executive level. For example, in May, NewYork state
adopted a sweeping new regulation requiring financial services institutions to perform risk
assessments, meet minimum protection standards, report breaches, and certify compliance.
The Chinese government has also imposed broad new cyber requirements.
These myriad changes will impact virtually every aspect of a companys operations. In
Europe, for example, newspapers will likely be filled next spring and summer with stories of
significant breaches as companies begin reporting under the GDPR. And as consumers are
alerted to breaches, regulators and data protection authorities will likely jump into the fray.
Moreover, the GDPR grants EU consumers broad rights to access, correct, and delete
their personal data. As a consequence, Oliver Wyman estimates that at least 90million
gigabytes of data may be implicated. Supervisory boards will demand assurances from
management teams that are likely not yet accustomed to this level of scrutiny.
Even those companies that do not fall under the new regulations should take proactive
measures to protect their businesses against a cyber breach.

EVEN THOSE COMPANIES

RESPONDING TO EMERGING REGULATIONS: THAT DO NOT FALL
FIVE IMPORTANT STEPS
Steps that businesses may wish to consider include:
UNDER THE NEW
yy Set a tone at the top of awareness and urgency. In heightening anxiety worldwide, the REGULATIONS SHOULD
WannaCry attack provides an opportunity for executives to demonstrate leadership by TAKE PROACTIVE
prioritizing cyber preparedness. Companies should use this moment with memory of MEASURES TO PROTECT
the attack still fresh to remind their teams of the importance of good cyber hygiene.
yy Identify translators. Too often, the technical team that defends systems and detects
THEIR BUSINESSES
and combats cyber incidents speaks a language the C-suite does not understand. AGAINST A CYBER
Executives need to have the right people in place who can provide them with timely and BREACH.

Copyright 2017 Marsh & McLennan Companies 47

MMC CYBER HANDBOOK 2018 PREPARE FOR EMERGING REGULATIONS

strategic advice. These translators need to be able to understand both the reputational
risk to the companys brand and the technical requirements of the companys systems.
yy Implement best practices. Senior management cannot afford to be detached from
their companys cybersecurity plans any longer. A vital lesson from WannaCry is the
importance of developing consistent protocols for patching known software flaws.
Executives should engage directly with their IT teams around emerging best practices
like multifactor authentication, encryption tools, and penetration testing.
yy Start communicating with customers and shareholders now. Companies should
prepare their stakeholders for an era of greater transparency and disclosure and the
almost inevitable day when cyber intrusions occur. Help your customers understand
how you collect and use their personal data. Nothing will be worse for your company
or your customers than over-promising and under-delivering on cybersecurity.
yy Make up for lost time. The penalties for non-compliance with the GDPR are severe up
to 4% of a companys total turnover. For companies with annual revenues of $12billion
for example, potential fines will run up to $500 million. Companies should test their
cyber incident response plans through drills or simulations, and develop cross-
department muscle and relationships of trust that will be needed in the event of a
serious breach. Executives should also reach out to regulators, law enforcement
authorities, and policymakers not so much to lobby but rather to share insight,
information, and help shape the rules as they evolve. No one has all the answers.

CONCLUSION
Sound practices and sheer chance ultimately stopped the WannaCry malware and saved
countless institutions from even worse breaches. It is unlikely the unprepared will be so
lucky next time. Corporate leaders must act today to ensure their companies can adapt and
excel in a world of growing risk, opportunity, and significant new regulations.

Peter Beshar, based in New York, is the

Executive Vice President and General Counsel
for Marsh & McLennan Companies, Inc.

Copyright 2017 Marsh & McLennan Companies 48

MMC CYBER HANDBOOK 2018

CYBERATTACKS
AND LEGISLATION:
A TIGHTROPE WALK
Jaclyn Yeo
MMC CYBER HANDBOOK 2018 PREPARE FOR EMERGING REGULATIONS

T
he increasingly worrying global cyber risk trend
has prompted lawmakers in many countries to ARE OUR CURRENT CYBER LEGAL SYSTEMS
either introduce or update their data privacy AGGRESSIVE ENOUGH TO TAKE ON
laws. This is a first step to ensuring better management,
security and data control, which ultimately builds
EVER-GROWING AND EVER-PRESENT
cyber resilience. CYBER ADVERSARIES?
China will officially roll out its new Cybersecurity
Law on June 1, signifying the governments intent
to strengthen cyber regulations. Up to this point,
China only had some general directives and localized for the wrong reasons. Additional barriers to trade
guidelines for a secure and controllable internet. and innovation, greater complexity and higher-risk
This new national law, however, is a head-turner for concerns for foreign companies doing businesses
everyone doing business with China and will have in China are some criticisms of the law by foreign
implications on those business operations. business communities.
However, the recent global extortion cyberattack
may significantly shift these negative mindsets and
SIGNIFICANT PROVISIONS OF THE change perspectives on the new law.
CYBERSECURITY LAW Massive ransomware cyberattacks hit critical
This law is the first legislation at the national level to information infrastructures around the world on
establish legal principles for data privacy, and the May 12, ranging from the UKs National Health Service
financial penalties for data breach incidents are to a Spanish telecom giant and one of the worlds
severe. In the event of a compromise to personal largest international courier services companies
data, companies can be charged penalties of up headquartered in the United States. The unprecedented
to RMB1 million ($150,000) or ten times the illegal cyberattack over that weekend affected more than
income, while penalties for individuals directly in 200,000 computers across 150 countries, according to
charge can be up to RMB100,000. Europol, with the numbers expected to increase in the
In terms of data localization, the new Cybersecurity aftershocks ahead.
Law will require critical information infrastructure Asia-Pacific countries were not spared either.
(CII) facilities to store personal information and other According to Chinas official Xinhua News Agency,
important business data collected or generated in more than 29,000 educational institutions were
China to be stored physically in China. CII operators affected by similar attacks. Other infected computers
must have government approval to transfer this data were detected at railway stations, hospitals, office
outside the country if it is truly necessary. Companies buildings, retail malls and government agencies. Over
that do not localize their data face potential financial the next few days, more reports of similar attacks
penalties, including possibly losing their ability to surfaced, impacting dozens of other countries,
conduct business in mainland China. including Singapore, Japan and Australia.
Furthermore, network operators are required to In the face of this unprecedented scale of ransomware
provide technical support to security authorities for the cyberattack, tighter cybersecurity legislation has
purposes of upholding national security and conducting been cast in the limelight. Are our current cyber legal
criminal investigations under the data residency clause. systems aggressive enough to take on these ever-
Finally, for data security purposes, both CII facilities growing and ever-present cyber adversaries? Are
and network operators in China are needed to comply our cybersecurity protection schemes and cyber risk
with national standards and mandatory requirements management frameworks comprehensive enough
such that equipment and products are safety-certified to minimize and mitigate future attacks of similar or
by inspection. greater scale?
While the financial and economic impacts are
still being assessed in the aftermath of events, the
A MUCH-NEEDED MINDSET SHIFT extent of psychological implications could be far more
Since its announcement in late 2016, Chinas substantial. This rude wakeup call might just be what is
Cybersecurity Law has received much attention required right now. The need for transparency through

Copyright 2017 Marsh & McLennan Companies 50

MMC CYBER HANDBOOK 2018 PREPARE FOR EMERGING REGULATIONS

stricter and more robust legislation is emphasized

time and again, as it is a critical first step in risk EXPECTEDLY, THE RANSOMWARE ATTACK
management, driving awareness critical to initiate SHOULD LEAD TO ADDRESSING THE
actions required to overcome adversaries and mitigate
cyber risks.
COMPLACENCY IN BOARDROOMS AT
Expectedly, the ransomware attack should lead to BUSINESS LEVELS REGARDING THE
addressing the complacency in boardrooms at business SERIOUSNESS OF CYBER THREAT.
levels regarding the seriousness of cyber threat.
Perhaps it could even shift mindsets and perceptions
of the foreign business community toward Chinas
Cybersecurity Law, which is coincidentally timely in its Does our business fall under the definition of
implementation just after the attack. Critical Information Infrastructure? If so, will
there be significant impacts on our internal plans
for data storage, transmission and network security
IN LIGHT OF CHINAS NEW LAW, in China? Do we understand the parameters we
WHAT SHOULD BUSINESSES DO? must all work within and do we have the correct
In addition to the Chinese government strengthening safeguards in place to be compliant?
cyber regulations, the public needs to focus on being Are we storing information generated or gathered in
cybersecure and responsible, while companies (both mainland China on servers in mainland China?
local and foreign) need to ensure their businesses are in Do we need to create separate IT systems for
compliance with the new cybersecurity regulations and China-specific data? Are we reliant on cross-border
take corporate actions for managing cyber risks. data transfers, and how would we approach this
As part of enterprise-wide cyber risk management, need with the Chinese government?
foreign companies looking to do business in China What is our risk exposure stemming from the
should conduct an additional overall China risk potential loss of intellectual property or encryption
assessment to assess their cyber risk exposure in the information as a result of this law? How would
China market. Specific reference to the Cybersecurity our business be affected should our Chinese
Law is recommended as the focal point to ensure competitors gain access to this information?
effective and efficient strategic business plans. What additional investments do we need to
Marsh recently released a risk alert to its clients comply with this law and ensure the business
on Chinas Cybersecurity Law and its impact to is cybersecure?
Multinational Companies (MNCs), which highlighted
three key recommendations for MNCs:
Conduct comprehensive risk identification for CONCLUSION
cybersecurity threats (for example, virus/ spyware/ It is true that the new regulations in China as they
malware, distributed denial-of-service attack, phishing) will elsewhere pose a few challenges for businesses.
followed with proper insurance coverage plans. Indeed, they will also raise questions around data
Enhance the cyber risk management framework, control and privacy. However, given the increasing
including a clear definition of role and responsibilities, frequency of cyberattacks, other countries are likely to
robust risk management process, advanced technical follow suit and tighten regulations as well.
means, information technology (IT) operation control
and log record.
Establish and improve business continuity
plans and develop contingency plans related to
cybersecurity threats. This article first appeared on BRINK on May 22, 2017.
BRINK is the digital news service of Marsh & McLennan
Furthermore, robust cyber risk management skills
Companies Global Risk Center..
begin with leadership from the boardrooms. In general,
boards can consider the following questions when Jaclyn Yeo, based in Singapore, is a Senior Research Analyst
evaluating the impact of Chinas new Cybersecurity Law: at Marsh & McLennan Companies Asia Pacific Risk Center.

Copyright 2017 Marsh & McLennan Companies 51

CYBER RESILIENCE
BEST PRACTICES
MMC CYBER HANDBOOK 2018

CYBER PREPAREDNESS
ACROSS INDUSTRIES
AND REGIONS
Percentage of respondents who are confident
in their organization's ability to ...
Understand Mitigate and Manage, respond,
(identify and assess) prevent its and recover from
its cyber risk cyber risk a cyber incident
(N=1312) (N=1312) (N=1312)

28% 19% 19%

Highly confident

60% 66% 62%

Fairly confident

Not at all confident 12% 14%

9%

Do not know
3% 4% 6%
Source: 2017 Marsh | Microsoft Global Cyber Risk Perception Survey

53
MMC CYBER HANDBOOK 2018

DEPLOYING A CYBER
STRATEGY FIVE MOVES
BEYOND REGULATORY
COMPLIANCE
Paul Mee and James Morgan
MMC CYBER HANDBOOK 2018 CYBER RESILIENCY BEST PRACTICES

F
inancial institutions are acutely aware that cyber While this paper is US-centric, especially with regard
risk is one of the most significant perils they face to regulation, these points are consistent with global
and one of the most challenging to manage. trends for cyber risk management. Further, we believe
The perceived intensity of the threats, and Board level that our observations on industry challenges and the
concern about the effectiveness of defensive measures, steps we recommend to address them are applicable
ramp up continually as bad actors increase the across geographies, especially when considering
sophistication, number, and frequency of their attacks. prioritization of cyber risk investments.
Cyber risk management is high on or at the top
of the agenda for financial institutions across the
sector globally. Highly visible attacks of increasing FIVE STRATEGIC MOVES
insidiousness and sophistication are headline news The current environment poses major challenges
on an almost daily basis. The line between criminal for Boards and management. Leadership has to fully
and political bad actors is increasingly blurred with understand the cyber risk profile the organization faces
each faction learning from the other. In addition, with to simultaneously protect the institution against ever-
cyberattack tools and techniques becoming more changing threats and be on the front foot with regard
available via the dark web and other sources, the to increasing regulatory pressures, while prioritizing
population of attackers continues to increase, with the deployment of scarce resources. This is especially
recent estimates putting the number of cyberattackers important given that regulation is still maturing and it
globally in the hundreds of thousands.1 is not yet clear how high the compliance bars will be
Cyber offenses against banks, clearers, insurers, set and what resources will need to be committed to
and other major financial services sector participants achieve passing grades.
will not abate any time soon. Looking at the velocity and With this in mind, we propose five strategic moves
frequency of attacks, the motivation for cyberattack upon which we believe, based on our experience, will help
financial services institutions can be several hundred institutions position themselves well to address
times higher than for non-financial services organizations. existing cyber risk management challenges.
Observing these developments, regulators are
prescribing increasingly stringent requirements for 1.Seek to quantify cyber risk in terms of capital
cyber risk management. New and emerging regulation and earnings at risk
will force changes on many fronts and will compel firms Boards of Directors and all levels of management
to demonstrate that they are taking cyber seriously in all intuitively relate to risks that are quantified in economic
that they do. However, compliance with these regulations terms. Explaining any type of risk, opportunity, or
will only be one step towards assuring effective tradeoff relative to the bottom line brings sharper focus
governance and control of institutions CyberRisk. to the debate.
In this paper, we explore the underlying challenges For all financial and many non-financial risks,
with regard to cyber risk management and analyze the institutions have developed methods for quantifying
nature of increasingly stringent regulatory demands. expected and unexpected losses in dollar terms that
Putting these pieces together, we frame five strategic can readily be compared to earnings and capital.
moves which we believe will enable businesses to Further, regulators have expected this as a component
satisfy business needs, their fiduciary responsibilities of regulatory and economic capital, CCAR, and/or
with regard to cyber risk, and regulatory requirements:
Seek to quantify cyber risk in terms of capital and
earnings at risk.
Anchor all cyber risk governance through
risk appetite. LOOKING AT THE VELOCITY AND FREQUENCY
Ensure effectiveness of independent cyber risk OF ATTACKS, THE MOTIVATION FOR
oversight using specialized skills. CYBERATTACK UPON FINANCIAL SERVICES
Comprehensively map and test controls, especially
for third-party interactions.
INSTITUTIONS CAN BE SEVERAL HUNDRED
Develop and exercise major incident TIMES HIGHER THAN FOR NON-FINANCIAL
management playbooks. SERVICES ORGANIZATIONS.
1 Joint Chiefs of Staff

Copyright 2017 Marsh & McLennan Companies 55

MMC CYBER HANDBOOK 2018 CYBER RESILIENCY BEST PRACTICES

resolution and recovery planning. Predicting losses

due to Cyber is particularly difficult because it consists FROM OUR PERSPECTIVE, FIRMS FACE
of a combination of direct, indirect, and reputational CHALLENGES WHEN ATTEMPTING TO
elements which are not easy to quantify. In addition,
there is limited historical cyber loss exposure data
PRACTICALLY FIT CYBER RISK MANAGEMENT
available to support robust cyber risk quantification. INTO A THREE LINES OF DEFENSE MODEL
Nevertheless, institutions still need to develop AND ALIGN CYBER RISK HOLISTICALLY
a view of their financial exposures of cyber risk with WITHIN AN ENTERPRISE RISK MANAGEMENT
different levels of confidence and understand how
FRAMEWORK.
this varies by business line, process, or platform. In
some cases, these views may be more expert based,
using scenario analysis approaches as opposed to raw
statistical modeling outputs. The objectives are still units and operations can have common standards for
the same to challenge perspectives as to how much comparing results and sharing best practices. Finally,
risk exposure exists, how it could manifest within the Second and Third Line can have focal points to review
organization, and how specific response strategies are and assure compliance.
reducing the institutions inherent cyber risk. A risk appetite chain further provides a means for
the attestation of the effectiveness of controls and
2.Anchor all cyber risk governance through adherence to governance directives and standards.
risk appetite Where it can be demonstrated that risk appetite is
Regulators are specifically insisting on the establishment being upheld to procedural levels, management will
of a cyber risk strategy, which is typically shaped by a be more confident in providing the attestations that
cyber risk appetite. This should represent an effective regulators require.
governance anchor to help address the Boards concerns
about whether appropriate risks are being considered 3.Ensure effectiveness of independent cyber
and managed effectively. risk oversight using specialized skills
Setting a risk appetite enables the Board and senior From our perspective, firms face challenges when
management to more deeply understand exposure attempting to practically fit cyber risk management
to specific cyber risks, establish clarity on the Cyber into a Three Lines of Defense model and align
imperatives for the organization, work out tradeoffs, cyber risk holistically within an enterprise risk
and determine priorities. management framework.
Considering cyber risk in this way also enables it to CROs and risk management functions have
be brought into a common framework with all other traditionally developed specialized skills for many risk
risks and provides a starting point to discuss whether types, but often have not evolved as much depth on
the exposure is affordable (given capital and earnings) IT and cyber risks. Organizations have overcome this
and strategically acceptable. challenge by weaving risk management into the IT
Cyber risk appetite should be cascaded down organization as a First Line function.
through the organization and provide a coherent In order to more clearly segregate the roles between
management and monitoring framework consisting IT, business, and Information Security (IS), the Chief
of metrics, assessments, and practical tests or Information Security Officer (CISO) and the IS team
exercises at multiple levels of granularity. Such will typically need to be positioned as a 1.5 Line of
cascading establishes a relatable chain of information Defense position. This allows an Information Security
at each management level across business lines and group to provide more formal oversight and guidance
functions. Each management layer can hold the next on the cyber requirements and to monitor day-today
layer more specifically accountable. Parallel business compliance across business and technology teams.

Copyright 2017 Marsh & McLennan Companies 56

MMC CYBER HANDBOOK 2018 CYBER RESILIENCY BEST PRACTICES

Exhibit 1: THREE LINES OF DEFENSE CONCEPT AS APPLIED TO CYBER

Business Units Assess cyber risks associated with activities of the business unit on an ongoing basis
(e.g., IT, Ops) Ensure that cyber risk information is shared in a timely manner with senior
management, including the CEO
Office of the CISO Ensure operations are consistent with cyber risk management framework
Identify, measure and monitory cyber risks and notify the CEO, board
and CRO accordingly

Risk Management Maintain sufficient independence, stature, authority, resources and access to board
function Be will integrated with enterprise-level strategic risk management function
Maintain linkages to key elements of internal and external dependency management
such as policies, standards, roles and responsibilities

Audit Evaluate effectiveness of risk management, internal controls, and governance

Assess wither the cyber risk management framework is appropriate in the face of
emerging risks and complies with laws and regulations
Incorporate assessment of cyber risk management into overall audit plan of enterprise
Evaluate compliance via penetration testing and vulnerability assessments

Source: Oliver Wyman

Further independent risk oversight and audit is Given the new and emerging regulatory requirements,
clearly needed as part of the Third Line of Defense. firms will need to pay closer attention to the ongoing
Defining what oversight and audit means becomes assessment and management of third parties. Third
more traceable and tractable when specific parties need to be tiered based on their access and
governance mandates and metrics from the Board interaction with the institutions high value assets.
down are established. Through this assessment of process, institutions need
Institutions will also need to deal with the practical to obtain a more practical understanding of their ability
challenge of building and maintaining Cyber talent that to get early warning signals against cyber threats. In a
can understand the business imperatives, compliance number of cases, a firm may choose to outsource more
requirements, and associated cyber risk exposures. IT or data services to third party providers (e.g., Cloud)
At the leadership level, some organizations have where they consider that this option represents a more
introduced the concept of a Risk Technology Officer attractive and acceptable solution relative to the cost or
who interfaces with the CISO and is responsible for talent demands associated with maintaining Information
integration of cyber risk with operational risk. Security in-house for certain capabilities. At the same
time, the risk of third party compromise needs to be fully
4.Comprehensively map and test controls, understood with respect to the overall risk appetite.
especially for the third party interactions
Institutions need to undertake more rigorous and more
frequent assessments of cyber risks across operations,
technology, and people. These assessments need to
INSTITUTIONS NEED TO UNDERTAKE
test the efficacy of surveillance, the effectiveness of
protection and defensive controls, the responsiveness
MORE RIGOROUS AND MORE FREQUENT
of the organization, and the ability to recover in a ASSESSMENTS OF CYBER RISKS ACROSS
manner consistent with expectations of the Board. OPERATIONS, TECHNOLOGY, AND PEOPLE.

Copyright 2017 Marsh & McLennan Companies 57

MMC CYBER HANDBOOK 2018 CYBER RESILIENCY BEST PRACTICES

Exhibit 2: KEY CYBER CONTROL TESTS, ALIGNED TO THE NIST CYBERSECURITY FRAMEWORK

1. IDENTIFY 2. PROTECT
THIRD PARTY SOFTWARE DEVELOPMENT IMPACT ANALYSIS
CYBER RISK OVERALL TECHNICAL
SECURITY REVIEWS LIFECYCLE (SDLC) OF PATCHES
ASSESSMENT SECURITY ASSESSMENT
SECURITY TESTING
Baseline assessment Assessment of technical Assessment of Assessment of the security Assessment of internal and
of threat profile, security effectiveness third party security control functionality against third patch impact on security
and expected loss capabilities security requirements and functionality of the
application environment

3. DETECT
APPLICATION VULNERABILITY SCANS NETWORK PHYSICAL RED TEAM EXERCISES
SECURITY TESTING PENETRATION TESTING PENETRATION TESTING
Independent assessment Periodic scans of Assessment to identify Assessment to identify Stealth assessment of
of security capabilities internally and externally vulnerabilities in vulnerabilities in organizations digital
of an application facing servers for network security physical security infrastructure and defenses
known security issues
and vulnerabilities

4. RESPOND 5. RECOVER
TABLETOP EXERCISES SIMULATION/WAR GAMING BC/DR TABLETOP TESTING REMEDIATION
Assessment of incident Dynamic simulation of a threat Assessment of stakeholders response Initiation of action plans and
response capabilities facilitated by a third party preparedness and effectivenee of mobilization of resources to
across pre-determined to assess incident response business continuity plan remediate following a cyber incident
threat scenarios readiness and effectiveness

Source: Oliver Wyman

5.Develop and exercise incident exercise, key stakeholders walk through specific
management playbooks attack scenarios to test their knowledge of response
A critical test of an institutions cyber risk readiness strategies. This exercise provides an avenue for
is its ability to quickly and effectively respond when exposing key stakeholders to more tangible aspects
a cyberattack occurs. As part of raising the bar on of cyber risk and their respective roles in the event
cyber resilience, institutions need to ensure that of a cyberattack. It also can reveal gaps in specific
they have clearly documented and proven cyber response processes, roles, and communications that
incident response plans that include a comprehensive the institution will need to address.
array of attack scenarios, clear identification of Last but not least, incident management plans
accountabilities across the organization, response need to be reviewed and refined based on changes
strategies, and associated internal and external in the overall threat landscape and an assessment
communication scenarios. of the institutions cyber threat profile; on a yearly
Institutions need to thoroughly test their incident or more frequent basis depending on the nature
response plan on an ongoing basis via table top and volatility of the risk for a given business line
exercises and practical drills. As part of a table top or platform.

Copyright 2017 Marsh & McLennan Companies 58

MMC CYBER HANDBOOK 2018 CYBER RESILIENCY BEST PRACTICES

Exhibit 3: KEY THIRD PARTY CYBER RISK MANAGEMENT CONTROLS

Company background accreditation

Financial reviews
DUE DILIGENCE REQUIREMENTS
Insurance liability coverage validation
(Initial and ongoing)
Business license certification
Information security assessment and onsite visit

Ongoing outside-in external security scans

SECURITY ASSESSMENTS
Security recertifications (e.g., annually)
(Onsite and remote)
Changes in regulations and/or compliance requirements

Technology operational metrics

(availability, reliability)
SECURITY SCORECARDS Reported cyber security events
(time to detect, respond, communicate, resolve, associated impact)
Vendor/partner security training compliance

Third party review meetings

ESCALATION AND REPORTING Escalation and tracking of issues/concerns identified
Board and Risk governance reporting

Source: Oliver Wyman

CONCLUSION tackling cyber risk in a manner fully aligned with the

Cyber adversaries are increasingly sophisticated, risk management strategy and principles of their firm.
innovative, organized, and relentless in developing In this context, we believe the five moves advocated
new and nefarious ways to attack institutions. Cyber in this paper represent multiple strategically important
risk represents a relatively new class of risk which advances almost all financial services firms will need
brings with it the need to grasp the often complex to make to meet business security, resiliency, and
technological aspects, social engineering factors, and regulatory requirements.
changing nature of Operational Risk as a consequence
of cyber. Leadership has to understand the threat
landscape and be fully prepared to address the
associated challenges. It would be impractical to have
zero tolerance to cyber risk, so institutions will need to
determine their risk appetite with regard to cyber, and
consequently, make direct governance, investment,
and operational design decisions.
The new and emerging regulations are a clear
directive to financial institutions to keep cyber risk This article is an excerpt from the Oliver Wyman report
at the center of their enterprise-wide business entitled Deploying A Cyber Risk Strategy: Five Key Moves
strategy, raising the overall bar for cyber resilience. Beyond Regulatory Compliance
The associated directives and requirements across the
Paul Mee is a New York-based Partner in Oliver Wymans
many regulatory bodies represent a good and often
Digital and Financial Services Practices.
strong basis for cyber management practices but each James Morgan is a New York-based Partner in Oliver Wymans
institution will need to further ensure that they are Digital and Financial Services Practices.

Copyright 2017 Marsh & McLennan Companies 59

MMC CYBER HANDBOOK 2018 CYBER RESILIENCY BEST PRACTICES

QUANTIFYING
CYBER BUSINESS
INTERRUPTION RISK
Peter Beshar

A
s we prepare for the next global pandemic preselected range based on enterprise risk appetite
cyberattack, one clear lesson is that the and tolerance considerations.
technological infrastructure on which we rely Identifying mitigation options. Depending on
is more fragile than is often appreciated. The WannaCry the significance of an organizations Cyber BI
attack reinforced the need for businesses to address exposures, risk mitigation options could include
the growing risk and financial consequences of Cyber changing business processes, re-architecting IT
Business Interruption (Cyber BI). infrastructure to improve resilience, enhancing IT
Although historical data can be relied on to estimate restoration capabilities, or strengthening technical
the impacts of data breaches, Cyber BI costs can be cybersecurity controls. To properly evaluate these
more difficult to determine because every companys choices and identify the strategies that will have the
IT systems, infrastructure, and exposures differ. How greatest impact, its important to have a credible
much an event costs will depend on several factors, estimate of potential Cyber BI exposure.
including the organizations business operations Evaluating risk transfer options. Cyber BI is
model, incident response capabilities, actual time to often underinsured or uninsured because many
respond, and the associated insurance coverages. By businesses do not fully quantify their risk prior
undertaking a Cyber BI risk quantification analysis, to suffering a loss. But insurers are increasingly
you not only gain a better understanding of the status offering broader coverage for these exposures
quo and associated costs, but a foundation for making in both cyber policies and traditional property
more informed risk mitigation and transfer investment all-risk policies. A scenario-based cyber BI risk
decisions and improving cyberattack resiliency. quantification analysis can support the proper
To more accurately quantify Cyber BI risk, structuring of these insurance options, including
businesses can use scenario-based analyses. In the selecting appropriate limits.
wake of the WannaCry incident, potential disruption
scenarios should be reconsidered to include complex
ransomware events and their second- and third-order
consequences, such as supply chain disruptions or
physical damage.
A scenario-based analysis should focus on
three factors:
Estimating the severity and likelihood of a
Cyber BI event. Using realistic scenarios can This article is an
allow organizations to more accurately quantify excerpt from the
the potential financial loss from a cyber BI event. Marsh Insight entitled
Peter Beshar, based in New York, is the #WannaCry:
Equally important is to scope these scenarios such Executive Vice President and General Counsel Lessons Learned and
that their likelihood of occurrence falls within a for Marsh & McLennan Companies, Inc. Implications

Copyright 2017 Marsh & McLennan Companies 60

MMC CYBER HANDBOOK 2018

CYBERSECURITY:
THE HR IMPERATIVE
Katherine Jones, Ph.D., and Karen Shellenback
MMC CYBER HANDBOOK 2018 CYBER RESILIENCY BEST PRACTICES

C
ybersecurity is a shared responsibility: it is a board-level concern, an executive
concern and a mandate for all employees. Every organization today must plan for
when not for if a cybersecurity breach happens. Companies and roles of all
industries, types, and sizes are targets. With the enormity of this issue, data breaches are
no longer solely the bailiwick of IT.
HR also has an important dual role to play when it comes to cybersecurity: creating and
managing a cybersecure enterprise comprising the entire workforce and working to ensure
the hiring, retention, and development of cybersecurity professionals.

CREATING A CYBERSECURE ENVIRONMENT

Many cybersecurity breaches affect HR because of the employee identification data that
may become accessible. The results of an identity theft can be costly and far-reaching such
as when the data is resold and used in further theft such as the fraudulent filing of tax forms
to claim refunds.
While the extent of the problem may appear insurmountable, HR can play a major role
in helping to prevent cybercrime and data breaches.
Cybersecurity requires a comprehensive, multidimensional approach to governance,
requiring the engagement of the board and the executive leadership team. Beyond the
technology risk itself, breaches are an overall business hazard and pose a talent strategy
imperative. Mercer Select Intelligence research reveals that HR has the opportunity to play
a more significant role in strategic planning regarding cyber risk-mitigation. Only half of
senior cybersecurity leaders report that HR helps create corporate risk tolerance strategies
(50%) or contingency plans for addressing a breach of employee data (45%).

BOLSTERING CYBER RISK MITIGATION WITH

AWARENESS TRAINING
In addition to addressing the cybersecurity challenge by shaping hiring and management
practices, HR can contribute to corporate security through the development of a risk mitigation
governance policy that includes a comprehensive learning strategy on cyber risk issues.
One early step for HR professionals is to familiarize themselves with the recommended
data security protocols of their HR information system vendors and ensure that those
policies are being observed. For example, Mercer Select Intelligence research shows that
over 80% of ex-employees retain access to their previous employer's file-sharing service.
Security awareness training for employees is expected to become a fundamental cyber
defense strategy by 2021. This effort must include all employees: from new-hire training
that includes education on cyber risk best practices, to ongoing security education for
more seasoned employees. This regularly scheduled employee education can better
ensure that data security is top of mind. According to corporate cybersecurity leaders, only
55% of HR departments currently deploy organization-wide training and testing on the
importance of mitigating risky behaviors and overall cyber safety (see Exhibit 1).
SECURITY AWARENESS
TRAINING FOR
KNOW YOUR INSIDERS ALL EMPLOYEES IS
Think about your current workforce and any past breaches or issues that may have occurred. EXPECTED TO BECOME
Was it an accident on the part of the employee? Opening a legitimate-seeming email is a
common cause of data breaches, and it's a problem that can be addressed by education.
A FUNDAMENTAL CYBER
Other times, tech-savvy employees may go rogue if permitted. Using their knowledge, DEFENSE STRATEGY
they may download applications to their laptops or mobile devices that could intentionally BY 2021.

Copyright 2017 Marsh & McLennan Companies 62

MMC CYBER HANDBOOK 2018 CYBER RESILIENCY BEST PRACTICES

Exhibit 1: HRS ACTIVITY IN CYBER MITIGATION STRATEGIC PLANNING

13% 49% 31% 7%

Improve cyber team processes, communication, and productivity using new technologies to leverage workflow processes and efficiencies

7% 43% 48% 2%
Assist with creating a corporate rizk tolerance strategy

9% 45% 36% 9%
Develop contingency plans for addressing a breach of employee data (risk mitigation)

9% 36% 42% 13%

Deploy organization-wide training and testing on the importance of mitigating risky behaviors and overrall cyber safety

7% 35% 48% 9%
Understand and action plan around current cyber team engagement levels

7% 35% 49% 9%
Leverage strategic workforce planning metrics to understand talent flows, bench strength/skills inventory, talent pipeline issues and future hiring
needs, etc.

Strongly Disagree Disagree Agree Strongly Agree

Source: Mercer Select Intelligence, 2017

or accidentally open the backdoor for ransomware or malware to enter and put the
computer network at risk. Innocence, however, is not universal. Malicious employees may
enter corporations with an agenda to sabotage. Here, diligent hiring practices, enforced
system access controls, and sentiment-monitoring can combat the issue.

EMPLOYEE SENTIMENT: A PRIME PREDICTOR OF

INSIDER ATTACKS
There are common events at work that adversely affect employee sentiment and
HR professionals know best when those potential flash points may occur. To meet the
cybersecurity challenge, HR professionals must leverage that knowledge. HR should
monitor employee sentiment for alienation and disengagement during reorganizations,
corporate mergers, buyouts or divestitures, layoffs, and other internal or external events
that affect the workforce. It is important to plan for alienation abatement through positive,
honest communication and to monitor those employees who are most likely to be affected.
Anticipating and planning for extra risk protection during tense periods that affect the
workforce can significantly mitigate the potential risk during these periods.
Unfortunately in todays world, a cyberattack is almost as inevitable as death and taxes
but there are ways HR can educate employees about the risks of security breaches and
what they can do to help prevent them.

INSIDER ATTACKS
FINDING AND FOSTERING CYBERSECURITY PROFESSIONALS USUALLY FALL UNDER
It is critical to create a comprehensive cyber risk mitigation strategy, provide awareness ONE OF THE FOLLOWING
training, and understand risky employee behaviors, but protecting your organization THREE CATEGORIES:
against the ongoing barrage of daily hacks requires a cohort of talented and energized
cyber professionals. There is a severe cybersecurity workforce shortage, with onemillion
ACCIDENTAL,
unfilled cybersecurity jobs in 2016 anticipated to grow to an expected shortfall of RENEGADE, OR
1.5million by 2019, according to Cybersecurity Ventures. Mercer Select Intelligence MALICIOUS

Copyright 2017 Marsh & McLennan Companies 63

MMC CYBER HANDBOOK 2018 CYBER RESILIENCY BEST PRACTICES

surveyed senior cybersecurity leaders on their view of HRs role in cybersecurity , and the
results showed that HR can do more to help the organizations cyber risk functions attract, PROBLEMS
train, and retain cyber professionals. FACED BY HR
WHEN HIRING
CYBERSECURITY
STAFF
KEY ISSUES CITED IN HIRING CYBERSECURITY STAFF

46%
Our research shows that while approximately 90% of senior cybersecurity leaders report
that HR helps them recruit from diverse labor pools and 62% report that their HR recruiting
team partners with universities to access potential new hires, only a little over a half (54%)
Failure to locate
report that HR actively recruits from military communities, and only 35% report that HR
talent with the
works with them to use crowdsourcing and other innovative strategies to attract the best right educational
and the brightest (see Exhibit 2). credentials

THE CYBER SKILL DEVELOPMENT IMPERATIVE

HR has an essential role in assessing and providing career development opportunities for
89%
Inability to locate
cyber risk teams. While managers hiring for the cybersecurity function look for candidates
talent with the
with training and experience, HR should look to develop those qualifications within existing experience needed
staff and among new hires. More than two-thirds (68%) of senior cybersecurity leaders report
that their HR teams help build managerial skills to effectively coach and develop their cyber
staff members; however, nearly two-thirds don't believe that HR helps create enticing career
paths or developmental opportunities for those cyber professionals. Additionally, 62% do
not believe that HR helps their staff obtain line-of-business experience an important factor
for the effective development and execution of business-driven mitigation strategies.
Finally, fewer than half (48%) of respondents believe that their organizations provide
mentorship, sponsorship, or visibility opportunities for female cyber talent. Only 33% of
HR departments help provide skill development opportunities, including relevant games

Exhibit 2: HRS ACTIVITY IN CYBER TALENT RECRUITMENT AND RETENTION STRATEGIES: WHAT CYBER LEADERS TELL US

9% 29% 53% 9%
Partner with universities to open access to potential new hires through curriculum challenges, networking opportunities, co-ops, and
internship opportunities

16% 29% 44% 11%

Plan and execute progressive/strategic retention strategies

24% 41% 31% 4%

Develop innovative community collaboration techniques, design challenges, hackathons, or crowd sourced approaches that attract external
high-potential talent

13% 33% 43% 11%

Recruit from former military, government, or government (defense) contractors

5% 5% 65% 24%
Recruit from diverse labor pools in terms of gender, race and other protected groups

1% 5% 71% 20%
Recruit from diverse labor pools in terms of experience and education

Strongly Disagree Disagree Agree Strongly Agree

Source: Mercer Select Intelligence, 2016

Copyright 2017 Marsh & McLennan Companies 64

MMC CYBER HANDBOOK 2018 CYBER RESILIENCY BEST PRACTICES

Exhibit 3: HRS ROLE IN CAREER DEVELOPMENT OF CYBERSECURITY TALENT

8% 25% 56% 12%

Build manager skills to effectively coach, develop and mentor our cyber staff

8% 54% 37% 2%
Build line of business experience by providing opportunities for cyber staff in areas such as: business strategy, pragmatic negotiations,
legal considerations, delivering impactful communications, and developing trusting relationships with line of business executives

8% 44% 40% 8%
Provide mentorship, sponsorship and/or and visibility opportunities for female cyber talent

10% 48% 38% 4%

Focus on creative career growth opportunities for cyber staff that align with career goals, passions and personal aspirations

10% 56% 29% 6%

Create enticing career path trajectories for all levels of cyber staff

12% 56% 27% 6%

Develop innovative skill development opportunities, including relevant games for cyber staff

Strongly Disagree Disagree Agree Strongly Agree

Source: Mercer Select Intelligence, 2016

for cyber staff (hackathons, for example) and only 42% focus on creative career growth
opportunities for these strategic staff members (see Exhibit 3).
Understanding the current talent pool for cyber, the future capabilities that will be needed,
and the best methods for addressing the cyber talent teams professional needs is a priority.
HR has the capabilities and resources to help cybersecurity leaders attract, retain, and build
the cyber workforce of the future. The imperatives of cyber risk mitigation, corporate boards,
executive leadership teams and internal risk management departments should encourage
HR to bolster the capabilities and retention of their cyber risk staff as a business priority.

CONCLUSION
Cybercrime is growing at a furious pace, costing organizations trillions globally with an
expected increase to $6 trillion annually by 2021, according to DarkReading. The chance
of avoiding an attempted breach is almost nonexistent, but the odds of preventing a
successful breach will increase with HR's attention to areas discussed in this report.
We suggest that organizations ascertain their own risk tolerance and plan a
cybersecurity strategy accordingly. Educating employees enterprise-wide, hiring right, and
fostering cyber staff development are critical for HR professionals who face the growing
cybercrime challenge.

This article is an excerpt from the report entitled

Cyber Security: The HR Imperative for Today.

Katherine Jones is a Partner in Mercers

San Francisco office, and serves as the Products
and Insights Leader of Mercer Select Intelligence.
Karen Shellenback is a Principal in Mercers
Denver office, in addition to being the Research
and Insights Leader of Mercer Select Intelligence.

Copyright 2017 Marsh & McLennan Companies 65

MMC CYBER HANDBOOK 2018

LIMITING CYBERATTACKS
WITH A SYSTEM WIDE
SAFE MODE
Claus Herbolzheimer
MMC CYBER HANDBOOK 2018 CYBER RESILIENCY BEST PRACTICES

C
yberattacks cost companies an estimated half a trillion dollars in damages every
year. The main reason they can harm companies to such a staggering degree is
that todays cybersecurity systems use centralized monitoring, with little beyond
their main firewalls to protect the rest of an organization. As a result, when companies are
hacked, it can take days for information technology teams to isolate infected systems,
remove malicious code, and restore business continuity. By the time they identify, assess,
and resolve the incident, the malicious code has usually proliferated, almost without limit,
across any connected or even tangentially related systems, giving hackers even more time
to access sensitive data and to cause malfunctions.
To stay ahead of new intrusion techniques, companies need to adopt decentralized
cybersecurity architectures, armed with intelligent mechanisms that will either
automatically disconnect from a breached system or default to a safe mode that
will enable them to operate at a reduced level until the effects of cyberattacks can
be contained and corrected. Like the general security systems at high-risk sites such
as nuclear power plants, companies require multiple layers of redundant safety
mechanisms and cybernetic control systems. The goal should be to create air pockets,
with neither direct nor indirect internet connections, that can protect critical equipment
and internet-connected devices.
Every companys cybersecurity program will have unique attributes, but there are
several fundamentals to this decentralized architecture that can help companies shift the
balance of power away from the attackers.

DETECTION
Even the most expertly designed cyber architecture is useless if it cant detect and
understand the threats it faces. Companies are experiencing more cyber viral outbreaks
because they often cant even detect them until it is too late. Todays cybersecurity
systems have been built to detect previously identified malicious codes and malware. But
cyberattacks are morphing so fast that threat patterns are unpredictable.
To identify and mitigate evolving new attack scenarios, security systems need to
search for anomalies, analyze the probability that they are hostile acts, and incorporate
them into a continually expanding list of possibilities. This level of detection should be
carried out by components on many different levels to cover the multitude of devices
and system components connected to the internet and physical environments. Together,
these form several layers of cybernetic systems that can identify unknown and new forms
of attacks by comparing what they understand to be their normal, uncompromised state
both on their own and in combination with other systems.
Rather than reacting to a defined set of indicators, these systems detect and react
to irregularities in data flows, involving anything from the amount, type, origination,
or timing of data. For example, to determine whether someone should be locked out THE GOAL SHOULD BE TO
of an online bank account, some banks cybersecurity systems are starting to use
CREATE AIR POCKETS,
artificially intelligent technology to compare how a person normally types or uses their
computer mouse.
WITH NEITHER DIRECT
NOR INDIRECT INTERNET
CONNECTIONS, THAT
HARM REDUCTION CAN PROTECT CRITICAL
The next step is to make sure that decentralized, intelligent systems minimize the impact of
attacks by independently starting a protocol that takes potentially compromised systems
EQUIPMENT AND
offline, disconnects them from other critical equipment, or locks them into a safe mode. INTERNET-CONNECTED
Current cybersecurity systems usually trigger an alert if they have identified a specific DEVICES.

Copyright 2017 Marsh & McLennan Companies 67

MMC CYBER HANDBOOK 2018 CYBER RESILIENCY BEST PRACTICES

attack. But they continue to operate and communicate with other systems until information
technology teams shut them down and correct the malfunction.

SECURE-BY-DESIGN
Finally, all companies products will eventually have to become secure-by-design. So far,
it seems that companies pay little heed to cybersecurity during product development.
That needs to change. Hackers have remotely accessed and controlled everything from
network-connected electricity smart meters to security cameras. In 2015 Chrysler
announced vehicles after a pair of cybersecurity researchers demonstrated that they
could remotely hijack a Jeeps digital systems over the internet. In Germany, nearly one
million homes suffered brief internet outages in 2016 after criminals gained access to
and remotely shut down their internet routers. The U.S. Food and Drug Administration
warns that medical devices connected to hospital networks, other medical devices and
smartphones such as implantable heart monitors are now at risk of remote tampering
that could deplete devices batteries or result in inappropriate pacing or shocks.
Companies need to build kill switches, safe modes, and encryptions into their
products during development. This will protect not only the companies systems but also
their customers. Apple, for example, installs layers of data encryption into its products
and will permit customers to run only Apple-approved software programs on their
devices. Such practices need to become standard operating procedure across
all industries.

CONCLUSION
Stopping cyberattacks will never be cheap or easy. Developing decentralized, intelligent
cybersecurity systems will likely happen in fits and starts as devices learn through trial and
error not to react to false positives or to go into safe mode more often than is necessary.
Managers will have to show leadership, since most customers remain unaware of the extent
that cyber risks now pose a threat to the products in their possession, and so are likely to be
impatient with glitches and delays. The good news is that the technology exists to make
good cybersecurity a reality. Decentralized, intelligent systems can significantly decrease
the risk of cyberattacks and minimize their damage. The savings will be enormous.

This article first appeared in

Harvard Business Review on May 17, 2017.

Claus Herbolzheimer, based in Berlin, is a

Partner in Oliver Wymans Digital practice.

Copyright 2017 Marsh & McLennan Companies 68

MMC CYBER HANDBOOK 2018

RECOGNIZING THE
ROLE OF INSURANCE
Wolfram Hedrich, Gerald Wong, and Jaclyn Yeo
MMC CYBER HANDBOOK 2018 CYBER RESILIENCY BEST PRACTICES

A
key role of insurance is risk transfer. Having grow over 15 percent per annum till 2019. Munich
recognized that cyber risk cannot be Re expects Asian market volumes for cyber covers to
eliminated; companies must be prepared for grow to $1.5billion by 2020, while AIG estimates cyber
a cyberattack. The challenge with cyber risk is that it insurance penetration in Singapore could increase to
has the potential to be a tail risk to data, reputation, or 40percent in 2020 from 9 percent today.
the ability to do business. A 2016 study by Ponemon There are key insurability challenges that need to
found that the average total cost of a breach is $4 be addressed so insurers can fully capture the growing
million, up 29 percent since 2013 and persistently market share, while the insured are adequately
rising. The magnitude of a potential, sudden loss protected at fair prices.
forces firms to scrutinize their ability to withstand such
impact, and after rigorous analysis, part of the solution
almost always involves looking to insurance as a way of CHALLENGE #1: HIGH SPECIFICITY
transferring the risk away. AND STRICT LIMITATIONS IN CYBER
The role of cyber insurance is also useful in INSURANCE PRODUCT OFFERINGS
quantifying the price of cyber risk. Insurance premiums The scope of cyber insurance coverage remains
can serve as benchmarks to the risk modeling output highly specific as the characteristics of cyber threats
and should be used as part of profitability analyses across geographical locations, industries, and size of
to determine the financial feasibility of a project, or corporations vary widely. With little standardization
executing cyber risk mitigation efforts. For instance, across the products offered, companies need to
if a cybersecurity feature costs less than the net have a deeper understanding of their own cyber risk
present value (NPV) of the resulting reduction in cyber exposures to determine the appropriate type and
insurance premiums, it is a worthwhile endeavor. amount of coverage required based on their own
Prompted by the wave of high profile attacks and risk tolerances. However, 49 percent of respondents
new data protection rules introduced around the world, surveyed by Marsh admitted that they possess
annual gross written cyber insurance premiums have insufficient knowledge about their own risk
grown by 34 percent per annum over the last seven exposures to assess the insurances available.
years, from $500 million in 2009 to $3.9 billion in 2016. Thus, even corporations with some form of cyber
Strong and long-term growth is expected in the global insurance may be unprotected against indirect
cyber insurance market, which is projected to reach losses that cannot be measured (reputational losses,
$9billion by 2020.
However, the cyber insurance market remains
heavily skewed towards the US: Insurance take-up rate Exhibit 1: GLOBAL CYBER INSURANCE MARKET
was 55 percent in the US in 2016, compared to 36 and
2016 INSURANCE PREMIUMS
30percent in the UK and Germany respectively. The $3.9 BILLION GLOBAL FIGURES
take-up rate in APAC was even lower even though data PERCENT
is scarce. The distribution is worse for cyber insurance 100
premiums, which was again largely dominated by the US.
90%
The US is expected to continue dominating the
global cyber insurance market over the next few
years. A key driving force is the mandatory breach
notification laws, the first of which was enacted in
California in 2002. Today, 47 out of the 50 US states 50
have enacted the legislation, following the basic
tenets of Californias original law.
Despite the proliferation of technology and
cyberattacks in APAC, there lies significant
opportunities for insurers here since APACs cyber 4% 6%
insurance market share remains negligible. 0
This suggests strong growth potential and Europe Rest of World United States
including APAC
significant opportunities for insurers in the region
the cybersecurity market in APAC is projected to Source: Oliver Wyman

Copyright 2017 Marsh & McLennan Companies 70

MMC CYBER HANDBOOK 2018 CYBER RESILIENCY BEST PRACTICES

for example), or not relevant to their risk exposure,

leaving many corporations exposed to larger losses. CYBER INSURANCE IS NOT A HOLISTIC
On the other hand, cyber policy limits from a single SOLUTION IN DEALING WITH CYBER
underwriter typically range up to $100 million.
Furthermore, with layered programs, a consortium
EXPOSURE AND COVERS ONLY CERTAIN
of insurers and reinsurers can provide a tower of SPECIFIC EVENTS AND OUTCOMES.
cyber insurance easily beyond $500 million in limits,
which usually involve a series of insurers writing Douglas Ure
coverage each one in excess of lower limits written Practice Leader (Asia) at Marsh Risk Consulting,
by other insurers.
It is imperative that companies put in place
processes for proper assessment of their cyber risk
exposure, as that will lead to more targeted and
effective mitigation, and greater ability to judge the companies need to have a deeper understanding
value of the risk transfer options available in the market. of their own exposure as it will help determine the
There is no one standard policy to cover cyber risk appropriate type and amount of coverage required
as the characteristics of cyber threats vary widely across based on their risk tolerances (Exhibit 2 provides an
industries and corporation size, while the terms and example of different loss categories deriving from
coverage of policies are complicated in nature. Thus, cyberattacks and non-malicious IT failures).

Exhibit 2: DIFFERENT LOSS CATEGORIES AVAILABLE IN THE CYBER INSURANCE MARKET

Intellectual Loss of value of an IP asset, expressed in terms of loss of revenue as a result of reduced market share
property(IP) theft

Business Lost profits or extra expenses incurred due to the unavailability of IT systems or data as a results of
interruption cyberattacks or other non-malicious IT failures

Data and The cost to reconstitute data or software that has been deleted corrupted
software loss

Cyber extortion The cost of expert handling for a extortion incident, combined with the amount of the ransom payment

Cybercrime/ The direct financial loss suffered by an organization arising form the use of computers to commit fraud or
cyber fraud theft of money, securities or other property

The cost to investigate and respond to a privacy breach event, including IT forensics and notify affected
Breach of data subjects
privacy event
Third-party liability claims arising for the same incidents. Fines from regulators and industry associations

Network failure Third-party liabilities arising from certain security events occurring within the organizations IT network
liabilities or passing through it in order to attack a third party

Impact of Loss of revenues arising from an increase in customer churn or reduced transaction volumes, which can
reputation be directly attributed to the publication of a defined security breach event

Physical asset First-party loss due to the destruction of physical property resulting from cyberattacks
damage

Death and Third-party liability for death and bodily injuries resulting from cyberattacks
bodily injury

Incident Direct losses incurred in investigating and closing the incident and minimizing post-incident losses.
investigation and Applies to all the other categories/events
response costs

Source: Oliver Wyman

Copyright 2017 Marsh & McLennan Companies 71

MMC CYBER HANDBOOK 2018 CYBER RESILIENCY BEST PRACTICES

CHALLENGE #2: EVOLVING NATURE

OF TECHNOLOGY AND THE INTERNET TO MEET THE GROWING NEEDS OF OUR
The rapidly evolving nature of the Internet sets the CUSTOMERS, GUY CARPENTER IS EXPANDING
speed not just for technological advancements but OUR EXPERTISE IN ASSESSING CYBER RISK BY
also severe cybercrimes with increasingly complex
capabilities. Insurers need to constantly adapt to
WORKING CLOSELY WITH EXTERNAL EXPERTS
the dynamic digital landscape to improve their risk AND INDUSTRY PLAYERS.
exposure models when designing more innovative
cyber insurance products. Michael Owen
The constantly evolving nature of exposure also Chief Actuary at Guy Carpenter
limits the usefulness of any historical data gathered,
since they are most likely not going to be representative
of future projections, hampering the development of
accurate and robust models. and financial impacts, the insurance industry alone may
The low take-up rates of cyber insurance are often not be able to fully absorb the risk transfer.
attributed to the mismatch of needs and offerings Thus, it becomes critical for the insurance industry
between the insured and the insurers. Whether it is to innovate beyond the usual underwriting, and
in addressing the overpriced premium for a limited into the broader landscape involving capital markets,
coverage, or offering products offered are better-suited industries, and governments. This public-private
and without many exclusion clauses, it is imperative partnership approach allows stacking multiple
for insurers to innovate and work on bridging the layers of both coverage and liquidity in the fight
expectation gap. against cybercrimes.
One potential innovative product is a shared limits
policy amongst firms with non-correlated risk. Marsh
believes this should provide firms with access to CONCLUSION
$1billion or more of coverage at a fraction of the cost Without a doubt, insurance has a key role to play in
of a stand-alone policy, sufficient to protect against a cyber risk management. However, organizations need
worst-case scenario. In 2016, Marsh launched Cyber to be cognizant that a cyber insurance policy is one
ECHO, a global excess cyber risk facility underwritten of the many tools that form a more comprehensive
by Lloyds of London syndicates, offering up to cybersecurity management strategy. Business
$50million in follow-form coverage for clients across executives need to find the right balance between
all industries around the world. cybersecurity investments and securing appropriate
insurance plans suitable to the unique needs of their
industry or organization.
CHALLENGE #3: EXPANDING CYBER
INSURABILITY
Risk pooling has become an ineffective diversification
mitigation tool in the cyber insurance landscape due
to the underwhelming market share and smaller-than-
required risk portfolios. Conventional strategies such
as geographic or industrial diversifications also present
greater challenges for cyber insurance as compared to This article is an excerpt from the report entitled
other traditional insurance policies. Cyber Risk in Asia-Pacific: The Case for Greater Transparency
Tom Ridge, former Secretary of the US Department
of Homeland Security, recently highlighted a key role Wolfram Hedrich, is the Executive Director of
for insurance-linked securities (ILS) in enabling cyber Marsh & McLennan Companies Asia Pacific Risk Center.
Gerald Wong is a Senior Consultant for Oliver Wyman.
risks to be transferred to capital market investors. With Jaclyn Yeo is a Senior Research Analyst
growing cyber threats in terms of both systemic risks for Marsh & McLennan Companies Asia Pacific Risk Center.

Copyright 2017 Marsh & McLennan Companies 72

Copyright 2017 Marsh & McLennan Companies, Inc. All rights reserved.

This report may not be sold, reproduced or redistributed, in whole or in part, without the prior written permission of Marsh & McLennan Companies, Inc.

This report and any recommendations, analysis or advice provided herein (i) are based on our experience as insurance and reinsurance brokers or
as consultants, as applicable, (ii) are not intended to be taken as advice or recommendations regarding any individual situation, (iii) should not be
relied upon as investment, tax, accounting, actuarial, regulatory or legal advice regarding any individual situation or as a substitute for consultation
with professional consultants or accountants or with professional tax, legal, actuarial or financial advisors, and (iv) do not provide an opinion
regarding the fairness of any transaction to any party. The opinions expressed herein are valid only for the purpose stated herein and as of the date
hereof. We are not responsible for the consequences of any unauthorized use of this report. Its content may not be modified or incorporated into or
used in other material, or sold or otherwise provided, in whole or in part, to any other person or entity, without our written permission. No obligation
is assumed to revise this report to reflect changes, events or conditions, which occur subsequent to the date hereof. Information furnished by
others, as well as public information and industry and statistical data, upon which all or portions of this report may be based, are believed to be
reliable but have not been verified. Any modeling, analytics or projections are subject to inherent uncertainty, and any opinions, recommendations,
analysis or advice provided herein could be materially affected if any underlying assumptions, conditions, information, or factors are inaccurate
or incomplete or should change. We have used what we believe are reliable, up-to-date and comprehensive information and analysis, but all
information is provided without warranty of any kind, express or implied, and we disclaim any responsibility for such information or analysis or to
update the information or analysis in this report. We accept no liability for any loss arising from any action taken or refrained from, or any decision
made, as a result of or reliance upon anything contained in this report or any reports or sources of information referred to herein, or for actual results
or future events or any damages of any kind, including without limitation direct, indirect, consequential, exemplary, special or other damages, even
if advised of the possibility of such damages. This report is not an offer to buy or sell securities or a solicitation of an offer to buy or sell securities. No
responsibility is taken for changes in market conditions or laws or regulations which occur subsequent to the date hereof.
ABOUT THE GLOBAL RISK CENTER

Marsh & McLennan Companies Global Risk Center addresses the most critical challenges facing enterprise and societies around the
world. The center draws on the resources of Marsh, Guy Carpenter, Mercer, and Oliver Wyman and independent research partners
worldwide to provide the best consolidated thinking on these transcendent threats. We bring together leaders from industry,
government, non-governmental organizations, and the academic sphere to explore new approaches to problems that require shared
solutions across businesses and borders. Our Asia Pacific Risk Center in Singapore studies issues endemic to the region and applies an
Asian lens to global risks. Our digital news services, BRINK and BRINK Asia, aggregate timely perspectives on risk and resilience by and
for thought leaders worldwide.

Marsh & McLennan Companies (NYSE: MMC) is a global professional services firm offering clients advice and solutions in the areas
of risk, strategy, and people. Marsh is a global leader in insurance broking and risk management; Guy Carpenter is a global leader in
providing risk and reinsurance intermediary services; Mercer is a global leader in talent, health, retirement, and investment consulting;
and Oliver Wyman is a global leader in management consulting. With annual revenue of $13 billion and approximately 60,000
colleagues worldwide, Marsh & McLennan Companies provides analysis, advice and transactional capabilities to clients in more than
13 0 countries. The Company is committed to being a responsible corporate citizen and making a positive impact in the communities
in which it operates.

Visit www.mmc.com for more information and follow us on LinkedIn and Twitter @MMC_Global

Copyright 2017 Marsh & McLennan Companies, Inc. All rights reserved.