Meet the winner of NU’s 2015 Excellence in Cyber Security Risk Management Award

Dunbar's squad works with XL Catlin's business executives to weave cyber security risks and associated risk mitigation into their business processes; underwriters, so they understand the possible risks that customers will ask about when managing their confidential or proprietary information in the company's keep; and the carrier's cyber underwriting team, on requirements and possible vendors who could make its cyber product better. It also partners with the company's legal and privacy teams to ensure compliance with statutory and regulatory requirements.

XL Catlin's Security Management program, part of the carrier's enterprise risk management team, takes a holistic approach to its information and cyber security program that starts with the understanding that cyber risk is a business risk management responsibility, and engages all colleagues to help make the program successful. That journey, Dunbar says, starts with engaging top leaders and ascertaining what the organization's greatest threats to business are, from the perspective of digital exposures.

Related: Retail data breaches: 3 lessons companies have learned

"You have to have buy-in right at the top, because they need to understand what the risks are," he says. "You've got to have that meeting with the leadership team to discuss what they perceive the company's cyber risk to be — and most times, they're not necessarily going to know. So you often have to lead them through that."

That starts with asking the company's business leaders, "If we had a cyber event, what would you be most concerned about?" he continues. "What is the most valuable data to your business? What is the data that if it was taken, for whatever reason, would cause the most problems? Personally identifiable information? Personal health information?"

The second step is getting those business leaders to understand that cyber security is not an IT issue. "It's important when you're working with data to say that the business owns and is responsible for the data, and IT are the custodians of the data," he explains.

If a business can identify the information most worth protecting, he continues, "then IT has solutions to help them do that. So there's a giant partnership there to make sure that you get the right technology and it's protected, but IT doesn't always know what the most valuable data is or if it's in a database."

Yet instilling a sense of shared responsibility among all of an organization's employees is critical in maintaining a solid cyber security program. "You have to permeate this thing throughout the entire structure of the company. You have to get to every colleague," says Dunbar. "That's the biggest piece of this, because we talk about them being the first line of defense. That's where we start."

Related: Shareholders should expect more cybersecurity lawsuits in 2016

Security from the ground up

The largest security breaches occur through social engineering, phishing and malware. Dunbar and his team have developed a multi-pronged approach to continuously train colleagues on cyber risks, using online security training, videos, posters, blogs, internal testing, security-themed screensavers, phishing exercises and targeted assessments.

(Photo: Matt Furman)

The colorful training modules, which take anywhere from seven to 10 minutes to complete, have gamification built into them to keep employees engaged. "When they go through these, we want people to learn not just what to do at the office, but how to protect themselves at home," says Dunbar. "All of the classes that we give them, they can relate back to their families."

His team's latest training module, titled "Don't Let Your Trash Be Someone's Treasure," teaches how to safely dispose of data when it's no longer needed. "It continues to reinforce that data is the important piece here," he says. "It talks about not just paper data, but an old computer, an old iPhone, any of the things on your desk.

"When do you shred something, how do you wipe a computer?" he asks. "A lot of that will be done by your IT team at the office when something needs to be done on a device, but what do you do when you get your new PC at home? Most people just throw it out; they don't think about all the data that's sitting on that hard drive."

At XL Catlin offices worldwide, installed on every machine is a security screensaver. Every time their machines go to sleep and the screensaver comes up, employees are greeted with one of seven rotating slides that talk about the importance of information security.

With the assistance of a vendor, Dunbar's department also creates training videos (hosted on the company portal) that engender and reinforce good security habits, such as smarter password creation. The last one his team created, titled "A Day in the Life," features a character named Striker Harley, who walks through an office building offering tips on data security and the different things employees can do on a daily basis to make sure that company information is kept safe.

In 2014, the security team released six such videos. To encourage employees to view them (while not mandatory, viewing is strongly encouraged), they were informed that for every one of the videos they watched, the company would donate $1 to worldwide medical humanitarian organization Doctors Without Borders. "We donated $10,000, in the end," Dunbar notes.

When a new video is released, "I'll do an all company e-mail introducing it and talking about information, security training, and what we've done this time," he says. "I'll introduce the video and put the link in there so they can go to it. I tell them up front how long it is, because if you just tell them to go to training, it's tough to get [viewers] if they think they're going to go there and find 30 or 40 minutes — so we try to keep things bite-sized and memorable. Then we follow up with blogging on the company portal, as well. We just keep trying to get it in front of people."

Related: Does your Commercial Crime policy cover loss from an imposter's fraud?

Testing the fences 

XL Catlin has deployed a full data loss prevention (DLP) program that monitors confidential data within the network, including that stored on employee devices. This program proactively al

DLP also ensures that Dunbar's department can control all data sent or stored on external media, including USBs, external drives and cloud storage providers. The tool blocks the use of these devices without approval, and only permits approved devices and locations that are monitored and audited continually. All external media are required to include mandatory encryption.erts on possible data problems, blocks unintended data breaches, and advises colleagues of potential issues. It also allows the business to identify and "fingerprint" their most important or confidential data to prevent inappropriate use or disclosure.

"We've put a new tool in this year where it protects you no matter where you are," Dunbar adds, addressing the issue of Wi-Fi exposures. "No matter where you go, what Internet you get onto, if you pick up malware, it's going to be recognized and it's going to be blocked or quarantined."

(Photo: Matt Furman)

While no good gatekeeper will reveal all the details of the cyber defenses one has in place at their company (which are multi-tiered), Dunbar is wise enough to know that there are always lessons to be learned in what really works best. The carrier's defenses are tested continuously, including third-party attack and penetration services.

Internal "phishing" tests are conducted, to see what information employees might be tricked into revealing. Phishing involves e-mails that look legitimate, but can carry a malicious payload (a virus or other worm) or contain a link that, if clicked on, creates a breach through which a data thief can enter the company's system.

"We'd go about it the same way a hacker would," he explains. "We'll go externally and harvest the e-mail addresses of our colleagues and we'll craft a phishing test, working with a third party. Then we'll send it into our colleagues. If they open it, they get a pop-up warning that says, 'You've been phished.' If it asks them to go to a website and if they click on the link, they'll get a big pop-up screen, again, telling them that they've been phished." This exercise helps employees sharpen their skills in spotting suspicious e-mails that could prove harmful.

"We know the training is working because we get so many e-mails [from employees] saying, 'this doesn't look right,'" says Dunbar. Phishing e-mails often convey a sense of urgency that the action requested of the recipient has to happen immediately. "You get that sense of urgency in there and people go, 'Oh my God, I've got to do this,' and they click. We've said: 'Think before you click; stop, count to 10; just don't."

After completing these types of tests, Dunbar's team sends out a communication to all employees sharing the results. "We give them the statistics—how many people received it, how many of them were phished, how many were successful and then provide educational details on the phish and how it could have been recognized and avoided."

Related: 4 cybersecurity tips from the FBI

(Photo: Matt Furman)

XL Catlin also tests its defenses by conducting live Distributed Denial of Service (DDOS) attacks — conducted by a third party — to determine just how well its tools would respond to real-world intrusions.

"When denial of service attacks were hitting financial companies continually, we thought, 'What would happen if we were hit with a denial service attack?'" Dunbar recalls. "So on a weekend — off-hours, when we figured it would be the least intrusive to do that — we partnered with a third party and we got them to do the same thing, to just start hammering us with excess data to see how we would stand up against that.

"It's not the kind of thing you want to be talking about, but it was just a test to say, 'OK, what would happen, and what did you learn from it? What can you do to fix it so that if you truly had the bad guys come at it even harder than what you did, what were the things you could fix?'"

Additionally, his team conducts periodic APT (Advanced Persistent Threat) exercises to fully vet the carrier's network and infrastructure cyber security, using the same tools as hackers would deploy.

"A lot of times [data thieves] want to get in, get data and get out," says Dunbar, "But you're seeing more and more cases in which they get in and then over a course of time they just stay in there and they search, and search and search. So we let our testers inside as if they're a trusted user and then we say, 'What can you find?' Can they find machines that haven't been patched, can they find places where perhaps a password is too weak or not changed from the default? Take a few months and just keep crawling through the network and see what you can find on us."

Related: Cyber security: Creating a mindset of resilience

The results help inform the decisions on what extra protocols and safety procedures can be added, or which ones already in place could be altered.

"To me, that's one of the most important things that you need to do running a program," Dunbar says. "It's one thing to be doing internal testing and doing benchmarking and things like that and you get a certain comfort level, you built a good program. But until you have that independent set of eyes with independent tools, that's just going to come at you like the bad guys would, you don't know how effective it is.

"I always look at it this way," he adds. "If they find [a weakness], they find it. It makes us stronger. It's better to have them find it than to have the real bad guys find it."

'Vishing' trip

A similar tactic to phishing is "vishing," or voice phishing, which occurs when someone calls you on the phone and pretends to be someone else, with the intent of stealing sensitive information.

"You've heard the stories: 'Hi, this is the Microsoft Help Desk. We noticed that your machine has got some malware on it and we'd like to help you clean that. All you need to do is give me your user ID and password and I can help you,' or 'Give me control of your screen,'" says Dunbar. "And people do this."

Although he hasn't seen someone fall for such a ruse on the inside (yet), Dunbar is aware that the calls have come into the company. "So we said, 'Let's put out a blog to tell people about this.'" Constant education on such schemes via XL Catlin's company intranet, is critical. "We get these schemes out there when we spot them. That way, our colleagues can recognize them."

Certified measures

Thomas Dunbar's team took the added effort to have XL Catlin's information protection processes and protocols evaluated and certified by ISO, the International Organization for Standardization. This year, the company's Information Security Management System received ISO 27001 certification.

The ISO 27000 family of standards is designed to help organizations keep information assets such as financial information, intellectual property, employee details and other corporate data secure.

In order to earn ISO 27001 certification, a company's Information Security Management System is reviewed by an outside organization. In addition to the review process, the company's information security controls are scrutinized to ensure confidentiality, integrity and availability of its information assets.

"By pursuing this certification, we are looking to live up to the same high online standards that we would like to see clients achieve," says Dunbar. "As XL Catlin provides Cyber insurance products, we must set an example. How a client protects information assets and its computer network are considerations in the Cyber insurance underwriting process."

In the coming months, XL Catlin will also look to review its program against the National Institute for Standards and Technologies (NIST) Cyber Security Framework. NIST is a federal technology agency whose cyber guidelines are being considered more closely by U.S. companies while evaluating their information security programs. A non-regulatory federal agency, NIST develops information security standards and best practices, including minimum requirements for federal information systems.

Related: 4 common but dangerous cyber threats and steps to address them

"NIST is going to start making more headway because more companies in the U.S. are looking at it," says Dunbar. "It was developed to make sure that critical infrastructure has the right level of mitigation against cyber risks. It's a good program, and I think it's going to get more pervasive in everything you do.

"I've talked with our head auditor, and he says he's been going to a number of audit conferences where his peers are talking about the NIST framework," Dunbar adds. "It's something that anyone [working in information security] is going to have to be paying attention to, for the future."

The most effective risk management plans are often a team effort, and XL Catlin's is no exception. The following are the fellow members of Thomas Dunbar's Information Security staff at XL Catlin:

Dave Cameron — Head of Information Security Engineering and Operations

Nathan Bettis — Information Security Specialist

Artea Beirn — Information Security Specialist

Martin Burns — Senior Information Security Specialist

Joe D'Allacco — Senior Information Security Specialist

Leon Dordoy — Information Security Specialist

Todd Spano — Senior Information Security Specialist

Luke Khan — Head of Information Security Services and Risk Management

Clive Kingston — Senior Information Security Specialist

Related: A look ahead: What 2016 will bring for the P&C industry

________________

How can you transform your risk management preparedness and response strategy into a competitive advantage?

Introducing ALM's cyberSecure — A two-day event designed to provide the insights and connections necessary to implement a preparedness and response strategy that changes the conversation from financial risk to competitive advantage. Learn more about how this inaugural event can help you reduce risk and add business value.