Be Afraid, Be Very Afraid!!! Hacking Out the Pros and Cons of Captive Cyber Liability Insurance
Today s agenda Introductions Cyber exposure overview Cyber insurance market and coverages Captive cyber insurance pros, cons and strategies Page 2
Panelists Jim Bulkowski New York Jim.Bulkowski@ey.com 1 212 773 3567 Mark Millard New York Mark.Millard@ey.com 1 212 773 4704 Page 3
Cyber exposure overview Page 4
Cyber exposure and mitigation key topics Modeling of cyber exposure Mega claims (Sony, Target, US OPM, Anthem, etc.) S&P Ratings National Data Breach Law Cyber Risk Ability to pursue recoveries from thirdparties Potential personal liability for Directors & Officers Bodily injury and property damage exposure Current program vs. ideal coverage tailored to risk profile Page 5
Number and types of incidents Page 6
Risk ID What generates your risk exposure Industry type Services you provide Third party service providers Type of information you have Healthcare Business to Business Data Hosting PII Retail Consumer Data Processing PHI Financial Institutions Data Storage SCI Technology Services FI Page 7
Risk ID Where does your exposure come from Employees Government Vendors Cyber Exposure Clients Criminal elements Short of using the postal service as your sole method of communication, no level of security protection is guaranteed to completely mitigate exposure to cyber damage and liability Page 8
Cyber liability market and coverages Page 9
Growth of cyber insurance market Market place has doubled from 2013 2014 with $2B in gross written premium Market is expected to grow to $5B - $6B in the coming years Approximately 50 markets are writing cyber coverage with more entering the market every month Only about 1% of captive owners write cyber liability in their captive! Page 10
Risk quantification Global risk quantification IBM / Ponemon Study Average record cost $217 Average breach cost $6.53 million $143 indirect $74 direct 62 companies participated Breached records 5.6K 96.5K (capped at 100K) Netdiligence Insurance Claim Study Average record cost $956 Median record cost $19.84 Average claim payout $733K 111 claims evaluated Average records exposed 2.4M (no cap) Page 11
Cyber liability insurance coverage Information Security and Privacy Liability Loss, theft, or authorized disclosure Damage to data stored on systems Violation of breach notification law Privacy Notification and Crisis Management Expenses Computer security expert after breach Call center for information on breach Credit monitoring (typically 1 year) Pay losses of theft from identity Regulatory Defense and Penalties Coverage for defense costs, fines and penalties Website Media Content Liability Personal injury Commercial violation Time Element Coverage Business Interruption and Extra Expense Data Assets Extortion Computer fraud Funds transfer Theft of Assets Insurance marketplace Available capacity - $500M Less than $100M for certain industries Typical deductible ranges - $5K - $1M Page 12
Captive cyber liability insurance strategies Page 13
Captive market Cyber 1% of captive owners Cyber liability may not be perceived material enough to justify inclusion within the captive Not fully understood Coverages and forms varied US based captives Majority are from the healthcare industry and financial institutions Other industries are professional services groups and retailers EU based captives Proposed EU legislation will empower national data commissioners to fine companies that violate EU data protection rules - penalties of up to 100 million Risk-based capital model of the Solvency II - promotes the diversification benefits of writing new and additional insurance covers Page 14
Captive insurance Traditional advantages also apply to cyber risk Page 15
Captive cyber insurance advantages TOPIC PRO D&O Protection May protect the D&O s against shareholder lawsuits for not managing risk Reinsurance Market Surplus Build Policy Terms Market Volatility Structured Programs Deductible Buy Down Cyber Liability Occurrence Coverage Gaps Claim Payments Tax Efficiencies Transferred to reinsurance - currently offering higher capacity than primary insurance Companies can retain the premium dollars for this new coverage area in a captive rather than pay a commercial insurer Ability to receive better policy terms through their captive Ability to avoid the volatility of commercial insurance pricing and policy term restrictions Ability to structure your insurance program more easily given that the captive can fill any gaps in coverage that could materialize over time The ability to buy down one s deductible or serve as a cyber risk reinsurer write cyber risk insurance using a manuscript policy occurrence form. Build up solid surplus in their captive to use for their cyber risk losses down the road. The ability to structure your insurance program more easily given that the captive can fill any gaps in coverage that could materialize over time Captive typically settled quickly Potential state, federal, international tax benefits Page 16
Cyber captive insurance Bespoke concepts Policy limits: $50k to $50m per occurrence - reflect the relatively unknown quantity of cyber insurance limits Coverage Mirror: Most captive cyber limits are based on what the market insurers are offering tailored coverage Exposure Assessment: Organizations often struggle with understanding their individual exposure to a level that would allow a scientific approach to calculating the organization's cyber exposure. Page 17
Cyber captive insurance Bespoke concepts Litigation Coverage: Cyber claims defense costs Special cyber risk coverage: Future lost revenue Dependent system failure business interruption Physical damage or bodily injury resulting from cyber peril (excess/dic above other applicable insurance) First-party loss of inventory due to technology failure Loss of value of intangible assets Insure first party loss, third party liability and crisis expenses cover may be available in the reinsurance market Combine Risks: Encompass highly correlated risks, for example cyber and reputation, which may not be packaged in the commercial market. Page 18
Captive cyber insurance challenges Cyber risk is a high-severity, low frequency risk that does not easily lend itself to a captive solution. Captives do better with more predictable high-frequency, low-severity risk resulting in a large probable number of claims Capital requirements? Regulators do not understand it You may have a loss! Page 19
What to do? next steps Analyze your companies exposure to cyber risk probably already done through IT department Explore traditional insurance risk transfer products/ pricing and coverage Identify captive solutions in concert with self insurance/risk transfer Obtain executive concurrence on next steps Page 20
Questions? Page 21