2 ABOUT US >> We are one of the largest insurance brokers in the world >> We have over 180 years of history and experience in insurance; we currently operate in over 400 offices in nearly 120 countries, with a global team of approximately 17,000 Associates serving clients in some 190 countries >> USD 32.2 billion of global premiums placed through worldwide markets SUBSIDIARY AFFILIATE CORRESPONDENT Any company that stores personal data, are reliant on computer or telephone networks, digital information or the internet faces cyber exposures
3 What are cyber risks? Today, using computers and logging on to public and private networks has become second nature in both our personal and business lives. We are all constantly producing and saving data, surfing the net, uploading content and sending and receiving traffic. It is difficult to recall how we were ever able to manage without such technologies and the benefits they bring. However, in creating this new digital world we have also created a by-product Cyber risks. Cyber risks are faced not just by e-commerce companies and those undertaking transactions over the internet, but also by companies that store personal data, are reliant on computer or telephone networks, holds digital information or uses the internet can face these exposures. In short, just about every business in the world today is faced with Cyber risks, some of the core Cyber exposures include: >> Privacy Breach Anyone that stores Personal Identifiable Information (PII) is exposed to data breaches. Data breaches may occur from a hack, a disgruntled employee or even a lost laptop. In the UK the costs a company face as a result of one compromised record is approximately GBP 70 large scale breaches can therefore be very costly indeed. >> Network Downtime Most companies are reliant on networks, whether it s the network that interconnects various company sites, enterprise private networks or the critical backbone network that deals with network performance management and network congestion. Network downtime can be caused not just by malicious hacks such as a Denial of Service (DoS) attack, but also by operational failures involving software and hardware failures, both of which can have a significant financial impact on a business. >> MULTIMEDIA RISKS Social media is now a key marketing strategy utilised by companies. However User Generated Content (UGC) and the posting of unlicensed content has caused a dramatic increase in online defamation claims and intellectual property infringement claims. The use of such sites requires additional infrastructure and maintenance resources, to ensure the appropriate defensive layers are in place to protect the company. Monitoring of chat rooms is not always possible and reliance on self regulation by the audience is a dangerous strategy. Also, pre-screening is not possible on Facebook and Twitter and the minimum fallback must be relevant staff training. >> Cyber extortion Cyber extortion is a crime involving an attack, or threat of attack, against a company, coupled with a demand for money to stop the attack. There are various types of Cyber extortion but originally DoS attacks were the most common method. More recently Cyber criminals have developed actual ransomware that can be used to encrypt the targets data. The attacker then demands money for the decryption key. The probability of prosecuting the criminals is low because criminal gangs usually operate from countries other than those of their target. Cyber extortion is big business and with criminals earning millions of pounds annually the majority of Cyber extortion episodes go unreported because victims do not want the publicity.
4 THE DATA BREACH PHENOMENA By far, the most well known Cyber risk and the most common cause of Cyber risk claims notified to Willis FINEX Global practice group and the insurance market presently is a privacy/data breach. How the breach occurs can come in a variety of ways from hacking to lost laptops. Common to all breaches is the significant quantum of the costs suffered by the breached company to deal with the data theft/loss. Increasing data protection legislation, the growth of the underground digital economy and new technology such as cloud computing and social media has seen the number of data breaches significantly increase year on year. Some of the largest breaches that have occurred have cost companies upwards of GBP 100m. Costs as a result of a data breach can include: >> FORENSIC COSTS Immediately after a breach it will be necessary to carry out forensic analysis and investigations to identify and contain the breach. It may also be necessary to undertake an official forensic audit by approved auditors of the relevant data protection authority. Some of the largest breaches that have occurred have cost companies upwards of GBP 100m >> Notification In the event there is a data breach customers affected by the breach will need to be notified. This is mandatory in the US, Spain, Germany, Austria and Norway however it is considered good practice by the Information Commissioner s Office (ICO) here in the UK. Notifying customers will also ensure that consumer churn is kept to a minimum. >> Credit monitoring Another service provided by companies to their customers after a security breach is credit monitoring. This is a service provided by a third party to monitor the affected individual s credit history for fraudulent activity. It may be offered for up to 5 years post breach. >> PR Costs In the event of a major security breach it is necessary to employ PR expertise in order to try and reduce the reputational impact to a company. >> Crisis Management Costs Other miscellaneous costs including setting up of third party call centres for affected customers. >> Fines and penalties Regulatory fines and penalties plus Payment Card Industry (PCI) fines where credit card information is involved. >> LIABILITIES Companies may incur liability claims for damages from banks if financial data has been taken from the individuals themselves for any costs they have incurred as a result of the breach such as time off work, and from any other third parties that may have suffered a financial loss from the breach.
5 CYBER INCIDENTS/ CLAIMS SCENARIOS The table below looks at some of the most common types of Cyber claims and highlights the associated costs that companies could face as a result: Industry Scenario type of COSTS INCURRED Cover Retail A hacker accessed the retailer s network and stole 15 million customers PII. The retailer incurred significant costs to deal with the breach including forensic costs, notification costs, PCI fines and credit monitoring costs. Liability claims followed. Privacy/Network Security Liability/ Privacy event mitigation costs, PCI fines. Hotel A hotel group s point of sale network was hacked into and 6 million customer s credit card details were taken. The hotel experienced high forensic costs to isolate the hack. Additional costs included mandatory notification costs and PCI fines. The hotel offered all of the individuals 2 years credit monitoring service. They also received liability claims for damages from the banks. Privacy/Network Security Liability/ Privacy event mitigation costs, PCI fines. Airline An airline received a Distributed Denial of Service (DDoS) attack bringing down their online sales platform for 48 hours. The airline experienced a significant loss of revenue during the network downtime plus increased costs of working. Non-physical business interruption. Media The media company utilised content on their website without obtaining the appropriate licences. They were successfully sued for over GBP 1m for copyright infringement. Multimedia Liability. Financial Services An employee of a financial services company left a laptop in a public place containing the PII of its clients. Costs included the hire of a PR firm, notification to all of the customers affected, setup of an ID theft/credit alert service call centre and credit monitoring services. Privacy/Network Security Liability/ Privacy event mitigation costs. Gaming A hacker threatened to take down the private network of the gaming company unless they paid them GBP 5m. Investigation costs to identify the threat plus the extortion demand amount. Cyber Extortion.
6 FINEX Global CYBER COVER Willis FINEX Global, in conjunction with key Cyber markets has developed a market leading Cyber Insurance solution: >> Privacy protection 1. Third party and employee privacy liability for damages and claims expenses as a result of a privacy breach. 2. Privacy regulatory defence and penalties. 3. Notification expenses to notify victims of privacy breaches. 4. Forensic costs to contain a breach and carry out the necessary forensic audits following a breach. 5. PR expenses to help limit the reputation impact following a security breach. 6. Credit monitoring costs to monitor the victims credit history for fraudulent activity. 7. Payment Card Industry (PCI) fines. 8. Reputational risk extension as a result of a data breach (case by case basis). PLUS other Cyber liability coverages including: 9. Network Security Liability for damages and claims expenses the insured is legally obligated to pay, arising out of computer attacks caused by failures of security. 10. Negligent transmission of a virus: for damages to customers computer systems and/or data. 11. Multimedia Liability, Intellectual Property Infringement and libel and slander due to or website content. >> Loss of Digital Assets including non-physical business interruption 1. Data/electronic information loss: The costs to restore data that has been lost or corrupted. 2. Indemnification for loss of revenue following unplanned system outage and increased cost of working. 3. Cyber extortion coverage: Covers both the costs of investigation and the extortion demand amount related to a threat to commit a computer attack. 4. Cyber terrorism coverage (case by case). Typically this will act as the template coverage. After a period of consultation, our e-solution experts will further develop and tailor the coverages so that it is aligned with your business specific risk profile.
7 WHY FINEX Global Cyber PRACTICE? >> Specialist knowledge With our specialised knowledge in the sector we are able to design innovative programmes that specifically reflect the needs of our Cyber clients. For our clients the benefits are simple expert advice ensuring the ultimate in cost-effective programme design. >> A consultative approach We fully analyse your Cyber exposures before proposing the most appropriate Cyber risk transfer solutions for your business. >> Exclusive wordings Our Cyber Practice has its own exclusive wording that we have designed in conjunction with key Cyber insurers. The breadth of coverage goes way beyond the off the shelf products typically offered. >> Claims Handling We have been in the Cyber market for over 10 years and our claims team have developed insightful experience in how best to deal with your Cyber claim to ensure it gets paid. >> Cyber RISK MANAGEMENT We can establish your Cyber risk profile utilising Cyber assessment tools. This will allow you to take the appropriate actions to better protect your company s computer network resource and information assets in order to mitigate potential network risks. >> MARKET LEVERAGE Willis has excellent market leverage due to the significant amount of premium that our Cyber Practice places into the market. >> Marketing approach The same team that analyses your risks and develops a protection strategy approaches markets on your behalf. >> The Willis One Flag approach Willis expertise in all our offices around the world is available to you essential for international companies who need to comply with the various international data protection laws. >> Cyber Risks Information updates Our clients are kept up-to-date with the latest Cyber trends via the Cyber e-newsletter, seminars and workshops. If you are concerned about your businesses Cyber risks contact us and arrange an initial consultation to start mapping out your risks: Jeremy Smith +44 (0)
8 Willis Limited The Willis Building 51 Lime Street London, EC3M 7DQ United Kingdom Tel: +44 (0) Jeremy Smith +44 (0) Willis Limited, Registered number: England and Wales. Registered address: 51 Lime Street, London, EC3M 7DQ. A Lloyd s Broker. Authorised and regulated by the Financial Services Authority. 9895/09/11
Cyber and Data Security Risks and the Real Estate Industry by: Joe Fobert Real Estate and Retail Industry Practice Leader Real Estate Practice Group, AIG Property Casualty M. Leeann Irvin Director Issue
CLOUD COMPUTING: IS YOUR COMPANY WEIGHING BOTH BENEFITS & RISKS? Toby Merrill CLOUD COMPUTING: IS YOUR COMPANY WEIGHING BOTH BENEFITS & RISKS? Toby Merrill Toby Merrill, Thomas Kang April 2014 Cloud computing
Data breach notification guide: A guide to handling personal information security breaches August 2014 The Office of the Australian Information Commissioner (OAIC) was established on 1 November 2010 by
2014 DATA BREACH INVESTIGATIONS REPORT Executive Summary INSIDER MISUSE DOS ATTACKS MISCELLANEOUS ERRORS PHYSICAL THEFT AND LOSS CYBER-ESPIONAGE CRIMEWARE PAYMENT CARD SKIMMERS WEB APP ATTACKS 92 % THE
Data Breach Response Guide By Experian Data Breach Resolution 2013-2014 Edition Trust the Power of Experience. 2013 ConsumerInfo.com, Inc. Table of Contents Introduction 3... Data Breach Preparedness 4...
State of Privacy Report 2015 SYMANTEC / STATE OF PRIVACY REPORT 2015 01 Contents Introduction 02 01 The Depth of Security Concern 05 02 The Data Trust Gap 19 03 Where Does The Responsibility Lie? 27 04
We re Stronger Together VIEW FROM AIG - LONDON 8:00 PM VIEW FROM AIG - LONDON 8:00 AM To help you get the most from our outstanding range of products and services, this presentation highlights the headlines,
Technical Book 2015 Information Systems Committee CYBER RISKS A guide to risk assessment and insurance solutions In partnership with About the AMRAE Risk Management has considerably evolved over the last
The Critical Security Controls for Effective Cyber Defense Version 5.0 1 Introduction... 3 CSC 1: Inventory of Authorized and Unauthorized Devices... 8 CSC 2: Inventory of Authorized and Unauthorized Software...
Financial Conduct Authority The FCA s approach to advancing its objectives July 2013 Glossary helping to explain financial terms As with many industries, the financial marketplace uses terminology that
Code of Business Conduct Compass Group PLC February 2011 CONTENTS Page Introduction Message from Richard Cousins 3 Code of Business Conduct 4 Getting Help and Advice 5 Speak Up 6 Visions and Values 7 The
2014 Year of Mega Breaches & Identity Theft Findings from the 2014 BREACH LEVEL INDEX POWERED BY BREACH LEVEL INDEX THE NUMBERS RECORDS BREACHED IN 2014 1,023,108,267 NUMBER OF BREACH INCIDENTS 1,541 BREACHED
The five most common cyber security mistakes Management s perspective on cyber security ADVISORY kpmg.nl 2 The Continuous five most auditing common and cyber continuous security monitoring: mistakes The
Your Current Account Terms NatWest Personal & Private Current Account Terms Personal & Private Current Account Fees & Interest Rates Helping you get the most from your Personal & Private NatWest Current
C o m m i t t e e o f S p o n s o r i n g O r g a n i z a t i o n s o f t h e T r e a d w a y C o m m i s s i o n G o v e r n a n c e a n d I n t e r n a l C o n t r o l C O S O I N T H E C Y B E R A G
Responding to a Data Breach Communications Guidelines for Merchants Responding to a Data Breach Communications Guidelines for Merchants It all comes down to one word: TRUST. How merchants respond to data
Cyber security: it s not just about technology The five most common mistakes kpmg.com b Cyber security: it s not just about technology Contents Preface 1 01 Understanding the cyber risk 3 02 The five most
OSHKOSH CORPORATION The Oshkosh Way A Corporate Code of Ethics & Standards of Conduct The Oshkosh Way Dear fellow employee: We exist to serve and delight our customers and shareholders. That s our mission.
Implications of the European Commission s proposal for a general data protection regulation for Final report to the Information Commissioner s Office Prepared by May 2013 About is one of Europe's leading
Exploiting the Experience of Transformation IT Outsourcing 2006 IT World Limited on behalf of the BuyIT Best Practice Network Page 1 P12 IT Outsourcing May 2006 Forewords One of the prime objectives of
Standards for Internal Control in New York State Government October 2007 Thomas P. DiNapoli State Comptroller A MESSAGE FROM STATE COMPTROLLER THOMAS P. DINAPOLI My Fellow Public Servants: For over twenty
Global Visa Card-Not-Present Merchant Guide to Greater Fraud Control Protect Your Business and Your Customers with Visa s Layers of Security Millions of Visa cardholders worldwide make one or more purchases
MANAGEMENT S DISCUSSION AND ANALYSIS Dated: July 9, This Management's Discussion and Analysis ("MD&A") for the three months ended (second quarter of fiscal ) provides detailed information on the operating
2008 by Bundesamt für Sicherheit in der Informationstechnik (BSI) Godesberger Allee 185-189, 53175 Bonn Contents Contents 1 Introduction 1.1 Version History 1.2 Objective 1.3 Target group 1.4 Application
U.S. DEPARTMENT OF COMMERCE BUREAU OF INDUSTRY AND SECURITY OFFICE OF EXPORTER SERVICES EXPORT MANAGEMENT AND COMPLIANCE DIVISION COMPLIANCE GUIDELINES: HOW TO DEVELOP AN EFFECTIVE EXPORT MANAGEMENT AND