Managing E-Risks in today s cyberspace: Growth of Cyber Liability Insurance

Transcription

1 WHITEPAPER MARCH Managing E-Risks in today s cyberspace: Growth of Cyber Liability Insurance

2 Abstract With cyber-attacks becoming increasingly sophisticated and frequent, and with IT data volumes growing at an unprecedented rate, data breaches have become inevitable. Leading organizations across the world are failing to deal with cyber threats in their risk management strategies. These threats will become considerably more acute for organizations as a result of growing dependence on technology and web-based solutions such as cloud computing. While cyber risks are sometimes thought of as online or Internet risks, a massive information theft recently occurred at Target s brick-and-mortar stores when customers swiped cards and entered PINs while making in-store purchases. Currently, most buyers are high risk entities such as financial institutions, healthcare providers and retail companies. But as these larger businesses develop a better understanding of the risks associated with holding private data electronically and take measures to protect themselves, hackers will turn their attention towards smaller organizations. Whilst the rewards might not be as high, SMEs are often less secure and less prepared in the event of a privacy breach. Therefore cyber cover will be seen as an essential component of any commercial insurance program for every size of business operating in every market and industry. Average total cost of data breach( 000 USD) Average cost per capita of data breach (USD)

3 Am I exposed to cyber risk? What risk do I face in case of an attack? Any company that stores personal data, are reliant on computer or telephone network, digital information or the internet face cyber risks. In short, every business in the world today faces cyber risks, some of the core cyber exposures include. Risk Types Costs Involved First Party Network Loss Privacy Breach and Security Liability Loss of business income Costs to restore the network Costs to replicate/replace lost data Increased cost of working 3rd Party damages Regulatory fines and penalties PR costs Costs to notify affected individuals Identity Theft monitoring costs Forensics costs Legal fees Reputational Loss Loss in sales revenue PR costs Cyber Extortions Extortion expenses PR costs Legal fees Target store s recent data breach involves many issues, such as reputational damage, legal and PR issues, potential legal liability for fraudulent charges, customer lawsuits, shareholder lawsuits, bank and credit union lawsuits, PCI DSS penalties/fines, regulatory fines, POS network security failure, potential drop in share price, impacted P&L reports and investigations by State Attorneys General, the Secret Service, FBI and Federal Trade Commission. Target has already announced to offer free credit report monitoring to affected consumers in order to salvage the situation on PR front.

4 Changing Regulatory Landscape imposing greater risks New data privacy bills are being introduced around the globe, with the United States and European Union at the forefront. Mandatory encryption of all sensitive personal information globally. Privacy breach fines will increase significantly from current levels. Statutory damages, a fixed cost per record breached, will be brought in for loss of personal data. Risk Transfer Options There are generally four accepted ways of dealing with business risk: Acceptance, Mitigation, Avoidance and Transfer. Typically, some combination of these strategies is implemented, depending on the particular risk. In case of Cyber-attacks following measures were mostly used: Acceptance: budgeting for expected losses. Mitigation: deploying processes or technologies to reduce risk such as information security and breach response plan, physical security measures, network security measures, device security measures and data, e-publishing and social media policies. However lately, insurance carriers are witnessing uptake in avoidance and transfer strategies such as: Contractual obligation in case of outsourcing or hedging third party risks. Cyber coverage on a primary basis with breach response and coverage varying based on insurer and policy structure. Additional insurers for consideration of excess limits. Self-insure against data breaches through non-traditional captive underwriting (1% of captive risk coverage currently) especially among retail and consumer product companies. Cyber Liability Insurance and Cyber coverage The marketplace has evolved to provide cyber specific services solution, including loss control resources; data breach coaches, dedicated claims resources, pre-approved panels of vendors and service providers to address each element of breach response. Following chart shows difference in cyber coverage to traditional policies.

5 Coverage Type General Liability Property/Business Interruption Professional Liability Cyber Liability First Party Cyber Losses Network Interruption Restoration, Recollection, Recreation of Digital Assets Cyber Extortions Data Privacy and Security Third Party Losses Breach of Sensitive third Party Information Intellectual Property Infringement, Plagiarism and Defamation Data Breach Caused by a Third Party Outsourcer Distributed Denial of Service or Lost/Stolen Laptop or Hardware Data Breach due to a Security Breach Data Privacy and Security First Party Losses Data Protection Fines and Penalties Data Protection Investigation and Defense Expenses Public Relations Costs Data Protection Legal Expenses Credit/Identity Theft Monitoring Expenses Data Breach Notification Expenses Industry Adoption The number of United States companies purchasing cyber insurance has increased with the availability of the insurance products. Services industry, which includes professional, business, legal, accounting and personal services firms, experienced the largest uptick in the number of clients purchasing cyber insurance.

6 ACE, AIG, Beazley and Hiscox are the biggest insurer in the market having large books of claims and are handling several claims per week. Market Outlook Annual Gross Written Premium: Industry revenue is expected to grow at an average annual rate of 11.8% to 1.5 billion USD because of the rising percentage of services conducted online. Market Concentration: Concentration in the Cyber Liability Insurance industry is low. Most insurance providers operate within metropolitan areas and provide services to a wide range of clients, which includes Fortune 500 corporations and start-up companies. Market share of insurers in major markets like US and Europe has decreased in the last five years to 2013 due to increasing competition. As a result, larger companies have started looking to expand their footprint in more profitable areas where such threats are most prominent. Purchasing Models Stakeholder Involvement Brokerage Primary purchasing evaluation and decision making in selecting and obtaining cyber risk policies is typically handled, by risk management teams, compliance leaders or, CSO/CISO with secondary input from general counsels, CFOs and other C-Level or business unit executives. A good specialist broker is usually preferred. However, this may or may not be the incumbent broker for non-cyber risks. Specialist brokers will not only help in getting the most appropriate coverage and favorable policy terms for the organization but will also help in the overall IT and security risk assessment required by the insurer during application.

7 Coverage Model: Regional coverage model is the most widely adopted model in the industry due to various factors: Geographical Limitation: Currently insurers have not expanded globally in their offerings on cyber insurance. Buyers find it difficult to obtain consistent coverage on their requirements globally. Underwriting Capabilities: High premium rates, coverage deductions are major reasons for low uptake of the insurance among buyers. Low market capacities, risk averseness of the insurers make it difficult for insured and brokers to structure cyber liability insurance for a corporation globally. Regulations: Regulation is a big constraint in the market. Major matured markets vary diversely from the developing markets in their data privacy laws and regulations. Also policy triggers, breach costs varies with region. Regional policy helps buyers to be consistent with the local laws and regulations. Purchase Recommendations Exposure Analysis: The first step in buying cyber insurance is to understand the nature and the extent of the risks facing the organization. For some businesses, like banks and retailers, the primary concern is the theft of personal financial information. On the other hand, the major risk to a utility or energy company is the disruption of critical businesses or physical operations through attacks on networks. Businesses should tailor their coverage to the risks that they face.

8 Analyze Coverage Model: Revenue loss due to network business interruption, information asset loss, first party data breach mitigation Financial damages or loss due to failure of technology or software to perform as intended, third party financial damages from a data breach, data breach-related regulatory fines and penalties, contingent regulatory losses, recall costs where no tangible damage in end product occurs. Revenue loss due to property damage events 3rd party recall costs associated with tangibly damaged goods or products Revenue loss due to theft of trade secrets/ intellectual capital and introduction of competing products into marketplace, criminal fines and penalties 3rd party property damage or bodily injury losses where insured s products directly cause loss. Should be covered under GL products/recall policies. Covered under property, general workers comp programs liability, and Contingent bodily injury and property damage losses due to the failure of technology or software products (no direct damage) Other recommendations: Negotiate Retroactive Coverage: Cyber policies sometimes restrict coverage to breaches or losses that occur after a specific date. In some forms, this is the inception date of the policy. This means that there would be no coverage for breaches that occurred before the inception of the policy. Because breaches may go undetected for some period of time, it is important to purchase coverage with the earliest possible retroactive date. Triggers: It is important to understand what activates coverage under your cyber policy. Some policies are triggered on the date the loss occurs, while others are triggered on the date that a claim is made against the insured. In order to provide proper notice, you need to understand how coverage applies under each policy you purchase. Cyber Insurance with Indemnity Agreements: Organizations should ensure that their company s indemnity agreements work hand-in-hand with cyber insurance. For example, many cyber insurance policies have retentions and require that the retention be satisfied by the insured. Insurers may interpret that the insured pay the retention out of its own pocket and that a payment by a third party under an

9 indemnity agreement would not satisfy the retention. This is a subject for negotiation with the insurer during the underwriting process. Sublimit: Most cyber insurance policies impose sublimit on some coverage, such as for crisis management expenses, notification costs and regulatory investigations. These sublimits are often inadequate, but many carriers are willing to negotiate on the size of the sublimit, often with no increase in premium. Security Infrastructure and Cyber Insurance Upon application of cyber insurance policy, most insurers will undertake either a security audit or review of disaster plan as part of its risk assessment for actuarial purposes. Large corporations are generally assessed by independent third-parties, usually at their own expense. The assessment covers security configurations, documentation of security plans, password management, backup procedures and more. Industry best practices in securing data such as encryption, PCI DSS; installation of firewall and antivirus is some bare requirements depending upon industry type. For example, Travelers application asks whether multi-factor authentication process (multiple security measures used to reliably authenticate/verify the identity of a customer or other authorized user) or a layered security approach is required to access secure areas of Applicant's website. Obviously, the risk assessment of security practices will impact not only the organizations qualification but also its premiums. Through periodic security evaluation, cyber insurance forces insured to review its practices and encourage making them better either by putting additional security technologies in place or training employees to handle private information safely. Improving data security will help lower premium payment. Carriers have started offering risk management services and loss control program to help clients in area of security plan development, data security training to employees, detailed vulnerability assessments and many more. Some carriers have web portals providing free security advice, free services like privacy training, or discounted products and services. Industry Benchmarks:

10 Insurance Limits Widely Purchased Limit Average Limit Maximum Limit US Business (Single Policy) 1-5 Million USD 16.8 Million USD Million USD (single insurer) US Business (Multiple tower policy) Million USD Deductibles Widely Purchased Limit Average Limit Maximum Limit Small and Medium Enterprise ,000 USD - - Large Companies 250, Million+ USD. - - Premiums Average Premium Small and Medium Enterprise 10,000 to 35,000 USD for 1 million USD in coverage Large Companies 10,000 50,000 USD for 1 million USD in coverage Premium Growths Network, Information Security, and Private 5% decrease to 5% increase Flat to 5% increase With increase in availability of cyber insurance, insurers have developed understanding of these risks. Some carriers have good underwriting experience in the market compared to others. As a result, insurers face difficulty in pricing these insurance structures, and large variances (as much as 25 percent) in premiums can be observed by different insurers to insure the same risk. When should you consider Cyber Insurance? Decision whether to hedge cyber risks through insurance depends on various factors such Client industry (Certain industries are at high risk than others) Exposure to third party sensitive data (such as credit card details, personal details etc.) IT infrastructure management and dependence on cloud or hosted services Involvement of outsourcing partners.

11 However there are two major ways to determine the impact: Risk Assessment: Comparing Data Breach costs (financial and reputational impact) to deductible offered by the insurer and premiums charged. In case, Data Breach Cost <= Deductible offered by Insurer. (No insurance taken, internal IT infrastructure and security is strengthened and enhanced) Gap Analysis: Assess security strength against any potential threat. In case threat posed is low or manageable many organizations opt for self-insurance and purchase a re-insurance cover against it. Success Stories Client Industry Client Name Information stored Breach Incident Insurance Coverage HealthCare Partner s Healthcare Health care records, personal details, credit card payment details (130 Million USD) Employee left records of 192 Massachusetts General Hospital patients on an MBTA train. Separate cyber insurance coverage was purchased, instead of relying on an umbrella policy. The hospital paid a 1 million USD fine to the US Department of Health and Human Services, which was covered by the cyber insurance. Client Industry Client Name Information stored Breach Incident Insurance Coverage Retail Target Personal details, credit card details Data breach of 70 million customer s credit card details. 100 million of cyber insurance, including self-insured retentions, and 65 million USD of directors and officer s liability coverage. Target is self-insured for the first 10 million USD of cyber coverage. Additional cyber insurance through: o 15 million USD of excess coverage with Ace Ltd. o 15 million USD layer with AIG Inc. o 10 million USD layer with Bermuda-based Axis Capital Holdings Ltd o 10 million USD coverage layer with AIG o Quota share for the next $40 million of cyber insurance divided among four unidentified insurers.

12 Client Industry Client Name Information stored Breach Incident Insurance Coverage Financial Services BNY Mellon Customer account details Loss of Backup Tapes containing encrypted customer details. Cyber liability insurance bought 5 years ago for 10 million USD Since purchasing the initial policy, the bank has increased limit to 50 million USD limit. Policy s coverage terms and conditions have also broadened to include victim notification of a breach. Conclusion Cyber threats are increasing globally and with enactment of various laws and regulations, various industries (existing and new) are facing enhanced risks and financial impact in case of data breaches. High premium rates and coverage exclusions were major constraints to the product s growth; insurers in recent years have increased both capacity and coverage to make the product more relevant to its buyers. Prices currently offered by insurers are much comprehensive compared to coverage s offered 10 years back when the product was launched. But with cyber related claims frequency and severity increasing in the last few years premium are expected to remain flat or increase slightly. Cyber liability insurance has become a less discretional spend in recent years. It is already a part of board discussions and with the increase in the product and supplier market maturity; it is expected to become a mandatory purchase for certain industries.