MMC CYBER HANDBOOK 2018 Perspectives on the next wave of cyberCyber risk continues to grow as technology innovation increases and societal dependence on information technology expands. A new and important turning point has been reached in the struggle to manage this complex risk. In the war between cyber attackers and cyber defenders, we have reached what Winston Churchill might call “the end of the beginning. ” Three characteristics mark this phase shift. First, global cybercrime has reached such a high level of sophistication that it represents a mature global business sector illicit to be sure, but one which is continually innovating and getting more efficient. In 2017 we have experienced the widespread use of nation state-caliber attack methods by criminal actors. Powerful self-propagating malware designed to destroy data, hardware and physical systems have caused major business disruption to companies worldwide with an enormous financial price. The number of ransomware attacks has also spiked significantly . More attack incidents have impact extending beyond the initial victims with broad systemic ripple effects. Second, business and economic sectors have high and growing levels of dependency on IT systems, applications and enabling software. Growth in connectivity between digital and physical worlds, and the acceleration in commercial deployment of innovative technologies like Internet of Things (IOT) and Artificial Intelligence (AI) will expand potential avenues for cyberattack and increase risk aggregation effects. These changes will make the next phase of cyber defense even more challenging. The third shift is the rising importance of coordination among institutions governments, regulatory authorities, law enforcement agencies, the legal and audit professions, the non-government policy community , the insurance industry , and others as a critical counter to the global cyber threat. Cyber risk defense can only be effective if these groups share a common understanding of the changing nature of the threat, their importance and increased interconnected nature. Working individually and in concert, these groups can increase our collective cyber resilience. We are beginning to see expectations converge in areas such as increased transparency , higher penalties for failure to maintain a standard of due care in cyber defense, improved incident response, and an emphasis on risk management practices over compliance checklists. It will be vital for this trend to continue in the next phase. Against this backdrop, the 2018 edition of the MMC Cyber handbook provides perspective on the shifting cyber threat environment, emerging global regulatory concepts, and best practices in the journey to cyber resiliency. It features articles from business leaders across Marsh & McLennan Companies as well as experts from Microsoft, Symantec, FireEye and Cyence. We hope the handbook provides insight which will help you understand what it takes to achieve cyber resiliency in the face of this significant and persistent threat. John Drzik President, Global Risk and Digital Marsh & McLennan Companies FOREWORDCONTENTS Threat T rends on Major Attacks in 2017 p. 5 Industries Impacted By Cyberattacks p. 6 Evolution of Cyber Risks: Quantifying Systemic Exposures George Ng and Philip Rosace p. 7 The Dramatically Changing Cyber Threat Landscape in Europe FireEye | Marsh & McLennan Companies p. 10 Asia Pacific A Prime T arget for Cybercrime Wolfram Hedrich, Gerald Wong, and Jaclyn Y eo p. 15 The Equifax Breach And its Impact on Identity Verification Paul Mee and Chris DeBrusk p. 21 Lessons from WannaCrypt and NotPetya Tom Burt p. 24 The Mirai DDoS Attack Impacts the Insurance Industry Pascal Millaire p. 27 Time For T ransportation and Logistics To Up Its Cybersecurity Claus Herbolzheimer and Max-Alexander Borreck p. 30 Are Manufacturing Facilities as Secure as Nuclear Power Plants? Claus Herbolzheimer and Richard Hell p. 33 WAKE UP TO THE SHIFTING CYBER THREAT LANDSCAPEPercentage of Respondents at Each Level of GDPR Compliance p. 35 The Growing Waves of Cyber Regulation Paul Mee and James Morgan p. 36 Regulating Cybersecurity in the New Y ork Financial Services Sector Aaron Kleiner p. 40 The Regulatory Environment in Europe is About to Change, and Profoundly FireEye | Marsh & McLennan Companies p. 43 Cybersecurity and the EU General Data Protection Regulation Peter Beshar p. 46 Cyberattacks and Legislation: A Tightrope Walk Jaclyn Y eo p. 49 Cyber Preparedness Across Industries and Regions p. 53 Deploying a Cyber Strategy Five Moves Beyond Regulatory Compliance Paul Mee and James Morgan p. 54 Quantifying Cyber Business Interruption Risk Peter Beshar p. 60 Cybersecurity: The HR Imperative Katherine Jones and Karen Shellenback p. 61 Limiting Cyberattacks with a System Wide Safe Mode Claus Herbolzheimer p. 63 Recognizing the Role of Insurance Wolfram Hedrich, Gerald Wong, and Jaclyn Y eo p. 65 PREPARE FOR EMERGING REGULATIONS CYBER RESILIENCY BEST PRACTICES WAKE UP TO THE SHIFTING CYBER THREAT LANDSCAPETHREAT TRENDS ON MAJOR AT TACKS CLOUD MOBILE Average number of cloud apps used per organization Percentage of data broadly shared Ransomware families Number of detections 463,841 Average ransom amount $1,077 2016 $373 2014 340,665 $294 2015 2016 2014 2015 101 30 30 T otal breaches Breaches with more than 10 million identities exposed Average identities exposed per breach Total identities exposed 1,523 1, 211 1,209 774 841 928 25% 23% 25% 2015 JULDEC 2016 JANJUN 2016 JULDEC BREACHES RANSOMWARE New mobile vulnerabilities 2015 89 463 2016 290 316 2014 178 12 10 BlackBerry iOS Android TOTAL 606 552 200 New Android mobile malware families New Android mobile malware variants 2014 2015 2016 3.6 K 805 K 466 K 927 K In the last 8 years more than 7 .1 BILLION identities have been exposed in data breaches 18 4 46 2.2 K 3.9 K 13 15 11 564 MM 1.1 BN 1.2 BN Source: Symantec 5 MMC CYBER HANDBOOK 2018 INDUSTRIES IMPACTED BY C Y B ER AT TAC K S Percentage of respondents in industry that have been victims of cyberattacks in the past 12 months 25% 26% 25% 22% 17% 19% 15% 15% 14% 14% 13% 9% Retail and Wholesale (N=39) Aviation and Aerospace (N=34) Power and Utilities (N=56) Professional Services (N=136) Infrastructure (N=36) Manufacturing (N=176) Energy (N=88) Marine (N=36) Financial Institutions (N=132) Health Care (N=101) Communications, Media, and Technology (N=104) Automotive (N=46) Source: 2017 Marsh | Microsoft Global Cyber Risk Perception Survey 6 MMC CYBER HANDBOOK 2018C yberattacks have escalated in scale over the last twelve months. The progression of events has demonstrated the interconnectedness of risks and shared reliance on common internet infrastructure, service providers, and technologies. If the T arget, Sony , Home Depot, and JPMorgan Chase data breaches in 2013 and 2014 defined the insureds need to manage their cyber risks and drove demand for cyber insurance, then this years events have proven the need for insurers to quantify and model their exposure accumulations and manage tail risk. These recent events have a different texture and a broader impact/reach than the incidents we have grown accustom to seeing over the past decade. A certain trend towards awareness of systemic risk has emerged among cyber insurance markets and their regulators. Exposure modeling around accumulation EVOLUTION OF CYBER RISKS: QUANTIFYING SYSTEMIC EXPOSURES George Ng and Philip Rosace MMC CYBER HANDBOOK 2018