Lillehammer Energy Claims Conference Lillehammer March 7, 2014 Insurance implications for Cyber Threats How enterprises need to prepare for the inevitable
JLT is one of the world s largest providers of insurance and employee benefits related advice, brokerage and associated services. Part of the Jardine Lloyd Thompson Group, JLT Specialty provides insurance broking and risk management services across the globe. As a specialist insurance broker it focusses on sectors where it can make the greatest difference to clients - working hard to understand the challenges they face and using insight, intelligence and imagination to provide expert advice and robust often unique solutions With over 900 employees and revenues of more than GBP240m in 2012, it places more than GBP2bn of premium into the insurance market every year. More detailed financial slides are available on the Group website http://www.jltgroup.com/investors/analyst-presentations/
Key trends for Oil & Gas What drives risk exposures Networked infrastructure Hackers, Groups and Hacktivism Technology innovation High profile Cyber attacks Data as a differentiator Cybercrime economy 3
Where are the Cyber Threats coming from? Rogue employees Careless staff Contractors Social media/networking Internal Technology ICS/SCADA systems Payment systems Mobile Devices, Internet of Things/M2M Structural vulnerability of systems or in supply chain Cloud Computing Old school Crime/Espionage/Terror: Foreign & Domestic criminals/hackers Competitors Third-party contractors States External Regulatory Stupidity/carelessness Laptop theft Dumpster diving Phishing, Smishing, etc. Data Privacy Legislation Security Directives National Security
Global Cyber Event Heatmap
What could insurance have covered? Some real examples Saudi Aramco - 2012 - Shamoon virus Isolated to corporate network Destroyed hard drives and erased data Did not directly affect hydrocarbon exploration/ production systems Loss of data Productivity losses Expenses RasGas - 2012 Hacker attack Attack shut down website and email servers Productivity losses Expenses Chevron 2010 - Virus Struxnet Servers infected by virus Virus did not have any adverse effects Expenses
Cyber Events - Insurable Consequences Business disruptions Physical damage: property damage ensuing from cyber event or technology failure Revenue loss: business interruption caused by cyber event or other IT failures (importantly, both physical and non-physical triggers) Consequential loss: IT failure or cyber event at suppliers or customers leading to a consequential loss to you. Cyber terrorism: cyber terrorists attacks corporates or public infrastructure with resulting property damage, business interruption, increased costs of working, mitigation costs, liabilities etc. Denial of Service: IT failure leading to a consequential loss to customers caused by inability to access their services and/or data
Cyber Event Insurable Consequences Data Breach/Loss of Data First Party exposures for privacy breaches: notification costs, fines and penalties, regulatory actions and crisis management expenses incurred after an event. Third Party exposures for privacy breaches: liability for customers liabilities/losses in respect of a breach Cyber liability/transmission of malware: for example, corruption of customers data due to the transmission of malware through the corporate s systems Loss or corruption of your own and customer data: loss of valuable data and the resultant liabilities (including intellectual property)
Cyber Event Insurable Consequences Failure to Service Errors and Omissions: IT/network security or failure event leading to the failure to service customers or general failure of a product/service or to meet advertised specifications Cyber extortion: IT systems/services being held ransom by a third party and the associated costs/ransom payments. The result could be failure to service customers Denial of Service: IT failure leading to a consequential loss to customers caused by inability to access their services and/or data. Viewed as breach of service Reputational damage: mitigation/proactive action (including crisis management/public relations expenses) and the potential for increased customer churn in the short, medium and long-term.
Cyber Event insurable Consequences - Cyber Crime, Extortion and Terrorism Financial losses caused by cybercrimes by employees or third parties Cyber extortion: IT systems/services being held ransom by a third party and the associated costs/ransom payments Cyber terrorism: terrorism attacks directly onto corporates or onto public infrastructure which leads to resultant property damage, business interruption, increased costs, mitigation costs, liabilities etc.
Cyber Event Insurable Consequences Other Negative Outcomes Media liability: libel, slander and disparagement in respect of broadcasting, content and related media Intellectual Property Rights infringement: infringing upon a third party s IPR or defending first party IP from infringement/invalidity (includes copyright, trademark, digital rights, patent etc.). Directors and Officers Liability: a significant cyber breach/event could lead to a class action, or action by shareholders/other stakeholders against the management of the corporate. Reputational damage: mitigation/proactive action (including crisis management/public relations expenses) and the potential for increased customer churn in the short, medium and long-term.
Where can I find Cyber Insurance protection? Traditional Insurance Policies Bespoke Cyber/Technology Risk Insurance Property Damage/ Business Interruption Terrorism/Political Violence General Liability Non-Tech Professional Indemnity/E&O Crime Directors & Officers Cyber IT systems Business Interruption - Not including ensuing physical damage Cyber Extortion Cyber Crime Loss of Data/ Privacy Breach Technology Professional Indemnity/Errors & Omissions First Party Risks; damage to you Third party risks; damage to others
Cover for cyber related losses in Traditional Insurance polices? Typically not. But If you have a bespoke policy and agreement with insurer Insurers have incorporated exclusions in many traditional policies that may exclude coverage for damage caused by malicious code. But where those exclusions are limited, or absent, policyholders should check their traditional policies for coverage There may be limited cover for certain expenses for things such as to reconstitute/restore data Advertising liability in certain liability policies Typically physical damage ensuing from a cyber event is excluded JLT PV/Terror markets willing to modify cyber exclusions to effectively cover resulting physical damage/reinstatement of assets. Business interruption still excluded 14
Where can I find Bespoke Cyber Insurance protection? Appx. 30 insurers offer Cyber: $250 to $500m Data Breach/Cyber Liability $100m Non Damage BI Non-Damage BI requires further science Bespoke Cyber/Technology Risk Insurance Cyber IT systems Business Interruption - Not including ensuing physical damage Cyber Extortion First Party Risks; damage to you Physical Damage from a Cyber event not offered or very limited Manuscript Cyber policies available on All Risk basis Cyber Crime Loss of Data/ Privacy Breach Technology Professional Indemnity/Errors & Omissions Third party risks; damage to others
Cyber Insurance Limitations of the market currently Lack of coverage consistency 1 st party limits available are not meaningful to large companies Aggregation and Cyber Hurricane concerns to underwriter Lack of reinsurance and sufficient cash reserves = lack of limits Avoidance from traditional insurers don t like or understand Cyber Insurers typically do not like SCADA/ICS (ensuing PD/BI) Lack of data leads to problems the risk analysis & quantification What are the type and quantum of losses that I can have? Lack of public actuarial data = lack of refined pricing
Driving the Cyber Insurance market? Critical National Infrastructure Protection Fund Norwegian Cyber Skade Insurance Fund Cyber Re - Government as insurer of last resort (Pool Re) Cyber Risk Insurance Act (TRIA) Cyber Safety Act EU standards of Due Care for IT Network Security Risk Encourage/Mandated cyber data sharing Honest broker? Government purchasing power mandate cyber insurance Oil & Gas industry cyber initiatives? Cyber Mutual Re
Cyber Insurance How to obtain the right product? Know your risks before you buy!! Cyber Risk Workshops Cyber risk and gap analysis Carefully select your risk transfer partners and use your captive(!) Loss scenario stress-testing Claims mapping across your whole insurance program Specialized services to help manage a loss
Failing to manage the risk Not really an option
Conclusion The world is changing, and fast! Profiles have shifted from physical to non-physical Intangible assets Technology and data dependency and interconnections (not meant to!!) New catastrophe exposures are presented by IT/Network Security and further complicated by the adoption of cloud, mobile technology & BYOD Compliance with regulatory requirements is becoming more challenging Traditional insurance protection or arrangements will not do the job! Begin to identify, understand, map and share the exposure data related to Cyber! Do the work and future insurance protection can be a protection effective investment given the rapidly increasing level of risk we are facing Focus needs to be applied into risk identification, data sharing and quantification, benchmarking and loss analysis as well as integrated insurance and risk management solutions 20
Questions? Thank you Fredrik Motzfeldt MBA CPCU Partner - JLT Communications, Media & Technology Risk Practice JLT Specialty Limited The St Botolph Building 138 Houndsditch London EC3A 7AW UK Direct Dial: +44 (0)207 558 3718 Mobile: +44(0) 7785 632 857 21