Managing Cyber Risk through Insurance

Similar documents
Mitigating and managing cyber risk: ten issues to consider

CYBER RISK SECURITY, NETWORK & PRIVACY

Cyber Risks and Insurance Solutions Malaysia, November 2013

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

Cyber and data Policy wording

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature

Cyber Insurance Presentation

THE ANATOMY OF A CYBER POLICY. Jamie Monck-Mason & Andrew Hill

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

NZI LIABILITY CYBER. Are you protected?

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

Internet Gaming: The New Face of Cyber Liability. Presented by John M. Link, CPCU Cottingham & Butler

MANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS

How To Cover A Data Breach In The European Market

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

Cyber and Data Security. Proposal form

DATA BREACH BREAK DOWN LESSONS LEARNED FROM TARGET

National Corporate Practice. Cyber risks explained what they are, what they could cost and how to protect against them

Cyber/ Network Security. FINEX Global

ISO? ISO? ISO? LTD ISO?

Understanding the Business Risk

APIP - Cyber Liability Insurance Coverages, Limits, and FAQ

CyberEdge. Desired Coverages. Application Form. Covers Required. Financial Information. Company or Trading Name: Address: Post Code: Telephone:

Airmic Review of Recent Developments in the Cyber Insurance Market. & commentary on the increased availability of cyber insurance products GUIDE

Cybercrime: risks, penalties and prevention

RISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION

How-To Guide: Cyber Security. Content Provided by

Best practices and insight to protect your firm today against tomorrow s cybersecurity breach

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Cyber Threats and the Insurance Response

Insurance implications for Cyber Threats

Aon & DLA Piper s 2014 Network Security & Privacy Symposium. September 2014

Service Schedule for CLOUD SERVICES

Cyber Liability Insurance: It May Surprise You

Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014

ACE European Risk Briefing 2012

Cyber Liability Insurance Data Security, Privacy and Multimedia Protection

An Introduction to Cyber Liability Insurance. Catherine Berry Senior Underwriter

Cyber Risks in Italian market

Data Breach and Senior Living Communities May 29, 2015

Cyber Threats: Exposures and Breach Costs

What Data? I m A Trucking Company!

Cyber Risk Insurance for Agents. Frequently Asked Questions

Think STRENGTH. Think Chubb. Cyber Insurance. Andrew Taylor. Asia Pacific Zone Product Manager Chubb Pro PI, Media, Cyber

Network Security & Privacy Landscape

Rogers Insurance Client Presentation

Tools Conference Toronto November 26, 2014 Insurance for NFP s. Presented by Paul Spark HUB International HKMB Limited

cyber invasions cyber risk insurance AFP Exchange

Insuring Innovation. CyberFirst Coverage for Technology Companies

Cyber Security for audit committees

Privacy and Data Breach Protection Modular application form

Guidance on data security breach management

CYBER/ NETWORK SECURITY

Joe A. Ramirez Catherine Crane

Cyber Liability Insurance Data Security, Privacy and Multimedia Protection

Cyber-Crime Protection

CYBER RISK INSURANCE. Presented By: Jonathan Healy

Identifying Cyber Risks and How they Impact Your Business

Information and Communication Technology, Cyber and Data Security

Data Security Incident Response Plan. [Insert Organization Name]

Third Party Security Requirements Policy

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

Lost in Cyber Space? Cyber Risks and (Re-) Insurance

Cutting through the insurance jargon!

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Exercising Your Enterprise Cyber Response Crisis Management Capabilities

Guidance on data security breach management

CYBER SECURITY SPECIALREPORT

Cyber/Information Security Insurance. Pros / Cons and Facts to Consider

2015 PIAA Corporate Counsel Workshop October 22 23, 2015 Considerations in Cyber Liability Coverage

Transcription:

Managing Cyber Risk through Insurance Eric Lowenstein Aon Risk Solutions This presentation has been prepared for the Actuaries Institute 2015 ASTIN and AFIR/ERM Colloquium. The Institute Council wishes it to be understood that opinions put forward herein are not necessarily those of the Institute and the Council is not responsible for those opinions.

Today s Agenda What are the key risks and exposures? Changing landscape including legislative reform Gaps in conventional insurances The breadth and limitations of cyber insurance policies I left my laptop on the train Our website has been vandalised We lost confidential documents in transit My cloud services provider has deleted my data Someone is holding my data to ransom We've been hacked A customer has posted misleading statements on our corporate Facebook page Our access passwords have been compromised

Changing Landscape Global cyber crime is on the rise Increased hacktivism Heightened media attention Laws and regulations creating new legal exposures Contractual requirements Increased awareness at Board level Cyber risk carve outs in conventional insurances 4

5 Who is being targeted?

What is being stolen? Information that is valuable: IP, customers, suppliers and personal data Business Critical Information: financials, business plans, new products. Critical Business Transactions: Raising finance, JV, M&A, divestitures 6

Key Risks & Exposures Brand & Reputation Damage Fraud / Crime / Terrorism Malware attack / virus / phishing / hacking Cyber extortion Systems interruption / corruption Identify theft / disclosure of information Loss of Revenue Impact on Share price Social Media / Publishing Defamatory material Misleading content Privacy breaches Breach of intellectual property Legal Liability Forensic Consultant Costs Electronic data / devices / paper records Deliberate / malicious Negligence / human error (employee / supplier) Disclosure of information Loss or destruction of data / information Breach Notification Costs Regulatory Scrutiny Technology Services Cloud computing Data storage / hosting Hardware / software maintenance Fines & Penalties System Disruptions Regulatory & Compliance Licence suspension or cancellation Privacy Act violations Duties of directors and trustees Increased Compliance Costs Damage to Digital Assets 7

ASIC Guidance & Requirements Report 429 - "Cyber resilience: Health check" ASIC defines cyber resilience as "the ability to prepare for, respond to and recover from a cyber attack". The Report emphasises the importance of cyber resilience in protecting the integrity of global markets and supporting consumer trust and confidence. ASIC noted that corporates must consider how and when a cyber attack may need to be disclosed as market-sensitive information in accordance with continuous disclosure obligations Directors' obligations to take cyber risks into account including cyber insurance when discharging their duties in considering risk management issues 8

Are you aware of your obligations? Are you aware of your obligations? If as a director, are you meeting your legal obligations? Have you considered disclosure of cyber risks in a prospectus? If you are a listed entity have you considered your continuous disclosure obligations? If you are an AFS licensee have you considered how cyber risks affect your general licensing obligations? If you are a responsible entity is your compliance plan is up to date? If you are a market participant, how do you identify and deal with unauthorised transactions on client accounts? Is your board and senior management are aware of your cyber risks? If you are a credit licensee How cyber risks affect your general licensing obligations? You may not have considered how cyber risks may affect your directors duties and annual director report disclosure requirements. Consider reviewing your board-level oversight of cyber risks and cyber resilience strategy, and consider if you need to incorporate greater consideration of cyber risks into your governance and risk management practices. Cyber risks may need to be disclosed if they are a significant factor that would form part of information that investors and their professional advisers would reasonably require to make an informed assessment of any offer. A cyber attack may need to be disclosed as market-sensitive information. Your risk management plans, policies and procedures may need to take cyber risks into account. Inadequacies in your risk management systems may amount to a significant breach of your obligations that may need to be reported to ASIC. Cyber risks may need to be disclosed as a significant risk associated with holding the product. A compliance plan must reflect, among other things, the major compliance risks that investors face. This may include cyber risks. It is useful to pay particular attention to client accounts that appear to be trading unprofitably and take action to verify the origin of such orders, and address complaints of unauthorised transactions from clients. You could also encourage your clients to monitor their accounts and change passwords regularly. You are encouraged to review the level of board and senior management oversight of your cyber risks, including how frequently risks are updated. Oversight should take into account your legal and compliance obligations and be proportionate to the cyber risks you face and the nature, scale and complexity of your business. Your risk management plans, policies and procedures may need to take cyber risks into account. 9

APRA Requirements CPS 220 Risk Management Submit a Risk Management Strategy to APRA Submit a 3-year Business Plan to APRA (& re-submit annually or if material changes) Submit a Risk Management Declaration & Financial Information Declaration to APRA (annually) Dedicated risk management function (or role) CPG 235 Managing Data Risk CPG 234 - Management of Security Risk in Information and Information Technology Assess, classify & manage data at each stage Adopt a systematic & formalised approach Staff awareness Auditability, desensitisation, end-user computing, outsourcing / offshoring responsibilities Identify and develop processes to managed potential data issues Test data risk management assurance programs frequently Develop, implement & maintain a hierarchy of policies, standards and procedures Adopt a set of high-level IT security principles in order to establish a sound foundation for the IT security risk management framework User awareness Regular assessments Access control, asset management, physical security, monitoring and management 10

11 Cyber Attacks on the Banking Sector

12 Cyber Attack - A Timeline of Events

World s Biggest Data Breaches

What Does a Policy Usually Cover? First Party Third Party Business interruption (loss of income and extra expenses) Defamation claims Costs to restore / recreate data Infringement of intellectual property claims Notification costs & credit monitoring services Violation or infringement of privacy claims Forensic investigations Claims as a result dissemination of confidential information or damage to third-party systems Cyber extortion Legal defence costs Crisis communication / public relations Privacy breach regulatory proceedings and investigations Legal costs assisting with privacy notification / compliance response Fines & penalties 14

15 Cyber Risk Transfer

Gaps in Traditional Insurance Programme 1st Party Data Protection Privacy Risks Network Interruption Cyber Extortion Data Restoration, Recollection, Recreation (Determination and Action) Employee sabotage of Data Virus/ Hacker damage to Data Denial of Service attack Physical damage to Data Only 3rd Party Data Protection Privacy Risks Breach of Personal Information Breach of Corporate Information Outsourcing Liability / Vicarious Liability Contamination of Third Party Data by any unauthorised software, computer code or virus Denial of access to third party data Theft of an access code from the Company s premises Destruction, modification, corruption, damage or deletion of Data Physical theft of the Company s hardware Data disclosure due to a Breach of Data Security Costs and expenses for legal advice and representation in connection with an Investigation Data Administrative Fines Repair of Company / Individuals Reputation Media Content Liability (IP, Plagiarism, defamation, trespassing) Notification Costs Monitoring Costs (with identity theft education and credit file or identity monitoring Property General Liability Crime/ Bond K&R PI Cyber Coverage Provided Coverage Possible For reference and discussion only: policy language and facts of claim will require further analysis No Coverage 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information