The Case for Cyber Reinsurance

The Fight Against Economic Crime Z/Yen Group Zest for Enlightenment How Governments & Industries Can Jointly Address Cyber Risks The Case for Cyber Reinsurance Z/Yen Group Limited Risk Reward Managers 90 Basinghall Street London EC2V 5AY United Kingdom tel: +44 (20) 7562-9562 www.zyen.com Professor Michael Mainelli Wednesday, 3 September

Z/Yen Special City of London s leading commercial think-tank Services projects, strategy, expertise on demand, coaching, research, analytics, modern systems Sectors technology, finance, voluntary, professional services, outsourcing Independent Publisher Book Awards Finance, Investment & Economics Gold Prize 2012 for The Price of Fish British Computer Society IT Director of the Year 2004 for PropheZy and VizZy DTI Smart Award 2003 for PropheZy Sunday Times Book of the Week, Clean Business Cuisine 1.9M Foresight Challenge Award for Financial aboratory visualising financial risk 1997

Z/Yen in Finance Representative Financial Services Clients

Z/Yen in Finance Research Blockchains (current) Long Finance predicting bubbles (current) LIBOR and FX litigation (current) Prediction markets (1998-present) www.extzy.com Market Intelligence MoD, e.g. Vision 2020 Avatars for Big Data (2010-2012) PropheZy and VizZy Automation of Compliance monitoring (2005-2008) Financial aboratory Club visualising risk (1997-1998)

LIBOR

Government & Industry History Ineffective Costly Anti-competitive No feedback Fundamental AML conflict asking financial institutions to police legal-financial boundaries globally

Casualties [Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/]

Cyber Snake Oil? Get a detailed grip on the big picture. Chao Kli Ning

Why Should Carbon Smell Funny?

EU ETS A Serious and Important Market

Yet Odorous Due to Cyber and Political Risk [Source: ICE ECX EUAs]

Generic Risk/Reward Profiles High Exploit Strategic Decisions (enhance, keep, sell, forego) REWARD Low Key Assumptions Defend, Destabilise, Exit Low RISK High (avoid, pool/share mitigate, eliminate)

Government Finance Investor Guarantor Enterprise Benefactor Role Expanding Frontiers Changing Systems Service Delivery Communitarian Reward Enhancement Lotteries, prizes, coinvestment Achievement funding Volatility Reduction Policy performance bonds Standards, minimum wages, vice taxes, tolls Charge, spend or subsidise Spend or subsidise Risk Avoidance Research spend Insurance/ Reinsurance Sorcerer s Apprentice Fiat Currency

The Pool Re scheme has been set up by the insurance industry in co-operation with the UK government so that insurers can continue to cover losses resulting from damage caused by acts of terrorism to commercial property in Great Britain. Insurers that participate in the scheme offer terrorism cover as part of the relevant commercial policies they issue when their policyholders request them to do so. Each insurer must pay losses up to a threshold, which is determined individually for that insurer. When losses exceed that threshold, the insurer can claim upon reserves accumulated by the insurance industry on a mutual basis within a separate company, Pool Reinsurance Company Limited ( Pool Re ). Should terrorism claims exceed these reserves, Pool Re can, in turn, draw funds from government to enable it to meet its obligations in full, regardless of the scale of losses.

Cyber Reinsurance - Proposal Cyber Re is a reinsurer for circa above 100 million exposure Cyber Re exists not to insure, but to allow insurers to insure by providing re-insurance, in turn providing regulators with the assurance that terrorism insurance can be safely underwritten Basic policy is business interruption Cyber Re is focused on creating a club with members, thus encouraging members to share information and reduce risk by sharing information, as well as to grow their market Cyber Re should be close to no-cost and quite small operationally

Cyber Re Tasks Helping members to assess their exposure Sharing best practice in assessment and risk reduction, including the development and use of appropriate standards (e.g. ISO 27000 series) Working with members to plan risk reduction programmes Providing controlled risk transfer mechanisms for members who achieve stated levels of risk reduction or undertake risk reduction activities to stated levels of quality Managing members interests to achieve equitable risk sharing Handling reinsurance with HM treasury and other governmental entities

Options A Financial View 7. Capital markets solutions Effort Cyber Reinsurance 5. Trade mutual 4. UK company or Lloyd s syndicate 6. Industry mutual 1. Information sharing for internal funds 2. Badged insurance 3. Captive insurance company or PCC Scope

Obvious Issues What risks are jointly shared BUT on which organisations do not compete? Does business interruption cover make a difference? Can these risks be assessed and managed (e.g. standards and certification schemes)? Is there benefit in joint learning about risks? Is there an industry benefit in perceived risk management/guarantees? Can industry and government co-operate?

Progress to Date Z/Yen Group Discussion - Cabinet Office, Metropolitan Police, Home Office, City of London Corporation, BIS, NATO, United Kingdom Accreditation Service, London Stock Exchange, NYSE Euronext, ICE, LCH.Clearnet, Markit, Yahoo, ebay, Futures & Options Association, Thomson Reuters, Bloomberg, Aviva, Barbican, Steptoe & Johnson LLP, ENISA European Network and Information Security Agency, Barclays, RFIB, Munich Re, Swiss Re (indirectly), Willis, Alpheus, Intellect, Birkbeck College, Centre for the Study of Financial Innovation, Chatham House Consultation programme CityForum with Cabinet Office, GCHQ, HM Treasury, City of London Police When would we know our cyber risk management is working?

Thank you! Get a big picture grip on the details. Chao Kli Ning