PANEL DISCUSSION: Cyber Risk Insurance (Network Security & Privacy Insurance) 19 March 2015
Panelists: Cinzia Altomare, Manager Facultative, Gen Re, Italy Michael Shen, AVP, Liberty Specialty Markets, and the founding member of Cyber Risk and Insurance Forum, Great Britain Ivica Perica, Director at Business Advisory Services Department, Deloitte Adriatics, Croatia Zdenko Adelsberger, consultant for IT security and risks management, Bluefield, Croatia Moderator: Tin Lesić, Executive Director of Development, Aon, Croatia
If you can answer all of the following stop listening How did this happen? Are we sure it has stopped now? What type of information is involved? Where to find a lawyer who is knowledgeable in this area? Can the affected third parties sue and would cyber policy cover legal defense costs? Are cyber risks already covered under our existing insurance policies? Would cyber insurance policy respond if our employee steals information? Is offline data covered by cyber insurance policy as well? Do you notify the media and what are you going to say? Do you offer credit monitoring? Do you need to notify regulators, affected parties, the police, providers/suppliers? Are local or EU laws triggered and how do we comply?
Typical misconceptions about cyber risk We have a firewall, so we are protected. We have antimalware protection, so we are not at risk. We have the best IT department. Why would our organization be a target? We don t have an e-commerce website, so we are not at risk. We are compliant with PCI, ISO, etc., so we are not at risk. We outsource some of the processes / activities so the vendor will be liable for anything that goes wrong.
Typical misconceptions about cyber risk Our IT department is managing risk effectively Our existing insurance policies typically cover some cyber risk We determine coverage needs based on what our peers are doing Our data is not a high-risk target for cyber threats The cost of cyber insurance exceeds the incident cost The financial cost of an incident would not be significant Our industry is not at high risk for cyber threats We don t need it We re not subject to US style regulation I ve never had a cyber breach so I don t need this coverage We don t need it we outsource our security
Notable data breach incidents Date Breach Reported Jun 2014 Entity NYC Taxi & Limousine Commission Loss Estimate Not Known Records Impact (millions) 173M Oct 2013 Adobe Systems, Inc. Not Known 152M May 2014 ebay, Inc. Not Known 145M Jan 2009 Heartland Payments Systems $143M 130M Dec 2013 Target Brands, Inc. $200M 110M Jan 2007 TJX Companies Inc. $256M 94M Jun 2011 Sony $280M 77M Aug 2014 J.P. Morgan Not Known 76M Sep 2014 Home Depot $62M 56M Mar 2012 Global Payments $125M 7M Aon Risk Solutions
Aon Risk Solutions 7
Aon Risk Solutions
Aon Risk Solutions 9
Before you buy Risk finance is part of overall risk management program structure Quantification Transfer I. Risk & Exposure Assessment II. Scenario Quantification III. Risk Mitigation & Maturity Review IV. Insurable Risk Review Qualification Mitigation What can go wrong? What is the financial impact? How am I protected? Will my insurance respond?
What is Cyber? Where Online Offline Who Malicious Accidental Internal External What Technology Media Protected Data Financial Impact Crisis Expense Extra Expense Lost Income Defence Expense Regulatory Fine Liability
Who creates cyber risk? 8% 6% 17% 13% Internal Accidental Internal Malicious External Internal Unknown Unknown 56% Full Year 2014 Source: datalossdb.org
How could the Cyber policy respond? 5th March 2015 Breach of point-of-sale credit card systems in the US and Europe
How could the Cyber policy respond? 1st January 2015
How could the Cyber policy respond?
Insurance Coverage
Key features of cyber insurance
Use of third parties
PPM: Price per Million of Limit Comparative analysis for selected peers: Technology and Communications industry Aon Risk Solutions
Per Occurrence Deductible Comparison Comparative analysis for selected peers: Technology and Communications industry Aon Risk Solutions
A typical gap-analysis may look like this
Policy limits Comparative analysis for selected peers: Technology and Communications industry Aon Risk Solutions
European/London Cyber Insurance Markets Theoretical Capacity* in MM Any one Risk ACE Brit Aegis Catlin AGM CFC AIG Chaucer AIG Cat xs Chubb Allianz CNA Amlin Cove Underwriting ANV Endurance Arch HCC Argo HDI Gerling Ascent Hiscox Aspen Kiln AWAC Lexington Axis Liberty Barbican Markel Beazley Marketform Berkshire Hathaway Mitsui Munich Re Navigators Novae Pembroke Principia QBE Sagicor Scor Starr Swiss Re WR Berkley XL Zurich 300 250 200 150 100 50 0 *Not including new catastrophe capacity available on an excess/dic basis or from reinsurance markets
Cyber Risk Diagnostic Tool www.aoncyberdiagnostic.com
Cyber Risk Diagnostic Tool Aon Risk Solutions