CYBER RISK INSURANCE Presented By: Jonathan Healy
Contents Cyber Risk Threat Sources Cyber events worldwide What is covered by a Cyber Liability policy Risk Identification The gaps in traditional policies Consumer attitude to threats and use of cyber insurance as a means of risk transfer 1
Cyber Risk The rapid rise in technology-based innovation has produced business dependencies on information technology systems and has also created a wave of new risks to businesses. Cyber crime, media liabilities as a result of online publishing and a heavy reliance on the uptime of the network are some examples. As a result, there are new business exposures faced by organizations including: Cyber liability to third parties Network security and privacy liability Multimedia liability System damage and business interruption Loss of data are just some of the new liabilities that need to be built into a risk management and risk transfer strategy 2
Cyber Risk Cyber Liability to Third Parties By providing IT platforms via a company network, intranet or a website, organizations are exposed to cyber crime activities such as hacking and virus attacks resulting in unauthorised access to their systems. These cyber crimes may result in financial losses to third parties for which an organisation can be held legally liable Network Security and Privacy Liability Organizations that hold customer data or other sensitive information within their networks have a legal obligation to protect and safeguard this information. Businesses who suffer a privacy or security breach which results in the compromise of this data often end up with significant and costly obligations imposed under data protection legislations, regulatory issues and fines and penalties imposed by regulatory bodies. Multimedia Liability By providing content or information via a website, organizations are exposed to many of the same legal issues which apply to traditional publishers, such as infringement of copyright, defamation, infringement of intellectual property rights and invasion of privacy. Business Interruption & Loss of Data Businesses are increasingly totally reliant on the robust functioning of their e-commerce and computer networks. In areas such as online sales, online banking, access to databases and many other internal operations, numerous organizations would be unable to operate without their computer systems 3
Cyber Risk Companies faced with cyber risks can be divided into two areas - 1. Those with risk derived from the provision of a Information Technology services 2. Those with risks derived from their dependency on Information Technology services Traditional Errors and Omissions / General Liability and Assets policies have major gaps and exclude the following: Deliberate acts and malicious acts of hackling attacks and virus transmission. Punitive damages or fines and penalties Infringement of Intellectual Property Rights or Defamation (unless specifically extended) Business Interruption or Increase in Cost of Working cover following a virus or hacking attack. Breach of contract 4
Defining Cyber Risk By IT standards organisations If we exchange the word cyber for IT, then ISACA The business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise ISO The potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization. It is measured in terms of a combination of the probability of occurrence of an event and its consequence. Threat Vulnerability Asset Harm September 19, 2014 5
Threat sources Criminal Symantec estimated the direct cost of cyber crime in 24 countries to be US$114 billion: Personal information Credit debit card information Held funds Intellectual property Confidential corporate data Hactivist The world's largest hosting provider of secure websites suffered major outages in September 2012, taking potentially millions of sites down with it. A member associated with the Anonymous collective, claimed responsibility: Public support for a cause Direct impact of core activity Corporate or industry-wide scandal Top corporate brand target 6
Threat sources Terrorist Disruption to critical infrastructure Economic impact Loss of life Damage to property State Sponsored In May 2013, it was reported that US intelligence agencies traced the compromise of a national inventory of dams to a foreign government or military operatives, raising concerns of a future attack against the national electrical power grid: Disruption to critical infrastructure Economic impact Loss of life Espionage 7
Threat sources Malice After analysing the software code from the Aramco attack, security experts say that the event involved a company insider, or insiders, with privileged access to Aramco s network. The virus could have been carried on a USB memory stick that was inserted into a computer: Disgruntled employee / customer Proof of ability Untargeted malicious code Random selection Negligence Files containing the personal information of more than 6,000 vendors, students and current and former employees at a university were mistakenly made available online during maintenance of a computer. The safeguards that protected the files against public access were accidentally disabled. They were then indexed by Google and were viewable via its search results. Loss of laptop or portable media Virus transmission Insufficient security safeguards email 8
Cyber events worldwide High profile incidents - Privacy Target data breach: 110M records affected including 40M payment cards. Total costs now stand at $236M with $90M recovered from insurance $148M incurred in the last quarter despite breach occurring December 2013 Ebay data breach: 145M records including names, email address and other personal data Subject to investigations by both European regulators and US States -Source: Target Investor Information Class action launched in July. -Source: BBC Technology CyberVors theft: Reported that 420,000 web sites have been compromised 1.2 billion unique user name and password combinations collected 542M email addresses collected -Source: The Register 9
Cyber events worldwide Ways to lose data Lost/stolen laptop Lost/stolen portable media Lost/stolen backup tapes or disks Theft using authorised access to computer systems Theft by unauthorised intrusion into computer systems Hacking Negligent online disclosure Negligent offline disclosure Negligent disposal of paper or computer assets 10
Cyber events worldwide High profile incidents - Outage 2014 setting records for DoS: An Arbor Networks report, found that at the mid-point of 2014, double the number of events over 20Gbps have been reported, as compared to all of 2013 -Source: Abornetworks.com Largest DoS attack in February 2014 at over 400 Gbps. -Source: Itnews.com.au HSBC, Bank of America, JPMorgan Chase & Co and Citigroup all targeted during 2013 by cyber terrorist organisations with reported links to Iran. Computer glitches a major source of disruption: -Source: Itnews.com.au American Airlines forced to cancel 745 flights last year following a computer glitch. -Source: Wn.com. Long flight delays and cancellations followed problems in connecting to Sabre s reservations system in August 2013, American Airlines, Alaska Airlines, JetBlue, Virgin and Etihad. -Source: NBCnews.com. Accidental deletion of data during maintenance resulted in the unavailability of certain Amazon web services affecting customers including Netflix on Christmas Eve 2012. -Source: business insider.com 11
Cyber events worldwide High profile incidents Physical outcomes In the Marine and Energy sector: Stuxnet virus reportedly destroyed around a fifth of Iran s Nuclear Centrifuges by causing them to spin out of control. -Source: Businessinsider.com Hackers recently shut down a floating oil rig by tilting it, while another rig was so riddled with computer malware that it took 19 days to make it seaworthy again. -Source: Reuters.com Building management systems vulnerable: Cylance security revealed they had been able to hack into the building management system (BMS) of Google's Sydney Wharf 7 office, allowing them to take over the building's air conditioning. They say they have found other major Australian buildings, including hospitals, banks and government departments that are at risk. -Source: abc.net.au 12
Cyber events worldwide High profile incidents financial crime ATM withdrawals using fake payment cards Prosecutors believe a group broke into the Bank of Muscat based in Oman in February 2013. In the space of 10 hours, casher cells withdrew $40m in 36,000 transactions from ATMs in 24 countries. Source BBC.com Automated attacks using malicious code Operation High Roller in 2012 targeted high balance accounts held by either businesses or well-heeled individuals siphoning off as much as $2.5 billion in an automated attack. Source BBC.com Using stolen payment card information One retail analyst estimated the cost of fraud perpetrated on cards stolen from Target at $1.4 billion - $2.2 billion. Source bizjournals.com 13
What is covered by a Cyber Liability policy? 1 by 2 3 4 5 6 Third-party liability caused data breaches. Data breach incident response costs. Network business interruption. Data recovery and restoration. Cyber extortion. Multimedia liability. 14
Risk Identification Potential Risk Event Likelihood Potential Impact Website copyright / trademark infringement claims Low Low Legal liability to others for computer security breaches (non-privacy) Low - Medium Medium - High Legal liability to others for privacy breaches High High Privacy breach notification costs and credit monitoring High Medium - High Privacy regulatory action defense and fines Low Medium Costs to repair damage to your information assets Low Medium Loss of revenue due to a failure of security or computer attack Loss of revenue due to a failure of security at a dependent technology provider Medium (overall) High (e-commerce) Low Medium (overall) High (e-commerce) Medium Cyber extortion threat Low Medium 15
Building a risk profile External hack Customer retail website Compromise of personally identifiable information data owner Compromise of commercially sensitive material own Compromise of commercially sensitive material third party Crisis management PR costs Loss of revenue Increased cost of working Litigation cost - defence Third party compensation IT forensic costs Legal fees - advice Breach notification costs Credit monitoring costs Civil regulatory fine Loss of shareholder value September 19, 2014 16
What Are the Gaps in Traditional Policies? Traditional insurance was written for a world that no longer exists. Attempting to fit all of the risks a business faces today into traditional policy is like putting a square peg into a round hole. Errors and Omissions (E&O): even a broadly worded E&O policy is still tied to professional services and often further tied to a requirement that there be an act of negligence Commercial General Liability (CGL): covers only bodily and tangible property - Advertising Injury / Personal Injury (AI/PI) section has potential exclusions/limitations in the area of web advertising Property: courts have consistently held that data isn t property - direct physical loss requirement not satisfied Crime: requires intent and only covers money, securities, and tangible property Kidnap and Ransom (K&R): no coverage without amendment for cyber-extortion 17
CYBER RISK SURVEY REPORT UK and Ireland 2014 Using its knowledge and information about the cyber risk in the UK and Ireland, Marsh has undertaken an in-depth study into organisations attitudes towards the threat, the processes they have in place, and their understanding and use of cyber insurance as a means of risk transfer. The benchmarking data in this report was collected from risk professionals and CFOs from large- and medium-sized corporations from across the UK and Ireland. 18
Awareness of Cyber Security is growing 19
Increased awareness has resulted in cyber risk featuring prominently on organisations corporate risk registers. In total, 82% of survey respondents revealed that the risk features on their corporate risk registers at some point or other; cyber risk is listed in the top ten risks on the corporate risk register of 56% of companies, while 24% place it within the top five. 20
Of those organisations that have calculated or estimated the financial impact of a cyber attack, 63% (20% of overall respondents) put the figure at GBP2 million or more. Perhaps one of the most concerning findings to come out of the survey results is that more than two-thirds of organisations have not estimated the financial impact of a cyber breach. 21
Organisations are approaching the insurance market 22
The insurance market has shown an appetite to cover a range of outcomes arising from a cyber event, with much of the focus on liability and incident response costs connected to breach of personal data, followed by business interruption losses 23
When the results reflected in FIGURE 9 are compared with those in FIGURE 1, it would appear that our respondents are following a process towards managing cyber risk. That process begins with developing their organisation s cyber risk profile, understanding the financial impact of a cyber event, before exploring the options for risk transfer in the insurance market. 24