To set out changes to Lloyd s monitoring of Cyber risks, including a new definition for risk code CY and a new risk code CZ

Similar documents
CYBER RISK SECURITY, NETWORK & PRIVACY

Cyber/ Network Security. FINEX Global

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature

Embracing Cyber Risk: Insurance Solutions

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

Cyber Insurance Presentation

Cyber Threats and the Insurance Response

erisks Policyholder s Guide to Privacy & Security Breach Response Planning

Mitigating and managing cyber risk: ten issues to consider

Cyber Liability Insurance

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

Managing Cyber Risk through Insurance

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

Specialist insurance and risk implications for prepaid an update. Prepaid International Forum Osborne Clarke London Thursday 9 th February 2012

Cyber/Information Security Insurance. Pros / Cons and Facts to Consider

Policy Considerations for Covering Special Exposures. Claire Lee Reiss Program Director National League of Cities Risk Information Sharing Consortium

Incentives and barriers for the cyber insurance market in Europe

How To Cover A Data Breach In The European Market

Is Cyber Insurance the Next Big Think? 2nd Digital Payments Summit - May Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor

DATE: 10 December 2004 REF: Y3453 CALIFORNIA INSURANCE: MANDATORY DISCLOSURE STATEMENTS

Data Breach and Senior Living Communities May 29, 2015

Statutory Liability Insurance

NZI LIABILITY CYBER. Are you protected?

Cyber Exposure for Credit Unions

Cyber Risks Management. Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor

Airmic Review of Recent Developments in the Cyber Insurance Market. & commentary on the increased availability of cyber insurance products GUIDE

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

Be Afraid, Be Very Afraid!!! Hacking Out the Pros and Cons of Captive Cyber Liability Insurance

Navigating Cyber Risk Exposure and Insurance. Stephen Wares EMEA Cyber Risk Practice Leader Marsh

The promise and pitfalls of cyber insurance January 2016

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

CYBER LIABILITY INSURANCE MARKET TRENDS: SURVEY

Insurance implications for Cyber Threats

4/30/2015 CYBER LIABILITY AND AVIATION AGENDA LEARNING OBJECTIVES. Presented by Hal Hunt May 3, 2015

Coverage is subject to a Deductible

APIP - Cyber Liability Insurance Coverages, Limits, and FAQ

An Introduction to Cyber Liability Insurance. Catherine Berry Senior Underwriter

Protecting your business from cyber crime and data loss. November 2014

Cyber Liability. AlaHA Annual Meeting 2013

CYBER/ NETWORK SECURITY

OECD PROJECT ON CYBER RISK INSURANCE

Cyber Risk Management

Cyber Security Issues - Brief Business Report

Understanding the Business Risk

Michael Gaudet 2015 PHC 7/23/2015. Key Broker Challenges

Influence of Cyber Risk on the P&C Insurance Market

Making Sense of Cyber Insurance: A Guide for SMEs

DATE: 1st July 2005 REF: Y3579. Introduction of Lloyd s Claims Management Principles and Minimum Standards

This section outlines the Solvency II requirements for a syndicate s own risk and solvency assessment (ORSA).

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

Best practices and insight to protect your firm today against tomorrow s cybersecurity breach

CYBER LIABILITY INSURANCE MARKET TRENDS: SURVEY. October Sponsored by:

MAY 7, 2015 AND THEN THE ACCOUNTANTS SHOWED UP HOW THE INSURANCE INDUSTRY WILL DRIVE CYBER SECURITY. CHIP BLOCK EVOLVER, INC Reston, VA

Prudential Practice Guide

Rogers Insurance Client Presentation

LLOYD S MINIMUM STANDARDS

Cyber and Data Security. Proposal form

Zurich Public Sector Solution

Cyber Risk State of the Art

DATA BREACH BREAK DOWN LESSONS LEARNED FROM TARGET

MANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS

Cyber-insurance: Understanding Your Risks

Cyber Liability Insurance Data Security, Privacy and Multimedia Protection

Cyber Risk and the Utility Industry

UNITED KINGDOM TERRORISM RISK INSURANCE PROGRAMME

Reducing Risk. Raising Expectations. CyberRisk and Professional Liability

Global Energy Practice CYBER GAP INSURANCE CYBER RISK: FILLING THE COVERAGE GAP

Managing Your Cyber & Data Risk 2010 NTA Convention Montreal, Quebec

EMERGING CYBER RISK CYBER ATTACKS AND PROPERTY DAMAGE: WILL INSURANCE RESPOND?

Specialist Miscellaneous Professions (Legal Liability) Professional Liability Insurance Summary

CYBER SECURITY SPECIALREPORT

What would you do if your agency had a data breach?

Distributor Liability Contract Risk Management THOMAS DOUGLASS APRIL 15, 2015

CYBER & PRIVACY LIABILITY INSURANCE GUIDE

General Liability. General Liability 4/30/2015. Liability Coverage in the RIM Industry

Managing Cyber Threats Risk Management & Insurance Solutions. Presented by: Douglas R. Jones, CPCU, ARM Senior Vice President & Principal

YOUR TRUSTED PARTNER IN A DIGITAL AGE. A guide to Hiscox Cyber and Data Insurance

Cyber Insurance as one element of the Cyber risk management strategy

Willis Healthcare Practice 11 th Annual Forum July 10,2007. Managing and Insuring Risks in Network Privacy/Cyber Risk

Internet Gaming: The New Face of Cyber Liability. Presented by John M. Link, CPCU Cottingham & Butler

Exercising Your Enterprise Cyber Response Crisis Management Capabilities

GRC/Cyber Insurance. February 18, Start Time: 9 AM US Pacific, Noon US Eastern, 5 pm London. Join the conversation: #ISSAWebConf

How To Buy Cyber Insurance

Cyber Liability Insurance Data Security, Privacy and Multimedia Protection

Insurance for Professionals

Insurance for Data Breaches in the Hospitality Industry

THE ANATOMY OF A CYBER POLICY. Jamie Monck-Mason & Andrew Hill

Managing Cyber & Privacy Risks

Information and Communication Technology, Cyber and Data Security

CSP WORKSHOP CYBER INSURANCE FROM A BROKER S PERSPECTIVE

Media Liability Insurance

Tradesman Liability Insurance Recycling Services Wording. Policy Document

Performance Management Supplemental Requirements and Guidance. Performance Management Supplemental Requirements and Guidance

CyberEdge. Desired Coverages. Application Form. Covers Required. Financial Information. Company or Trading Name: Address: Post Code: Telephone:

cyber invasions cyber risk insurance AFP Exchange

Cyber Insurance: How to Investigate the Right Coverage for Your Company

Privacy / Network Security Liability Insurance Discussion. January 30, Kevin Violette RT ProExec

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

Security & Privacy Current cover and Risk Management Services

Transcription:

market bulletin Ref: Y4842 Title Purpose Type From Cyber Risks & Exposures To set out changes to Lloyd s monitoring of Cyber risks, including a new definition for risk code CY and a new risk code CZ Event Tom Bolt Director, Performance Management Date 25 November 2014 Deadline 1 January 2015 Related links www.lloyds.com/riskcodes Following consultation with the market, Lloyd s is revising its approach to the monitoring of cyber risks. Managing agents are asked to note the following: The definition of risk code CY has been updated A new risk code CZ is being introduced The Exposure Management team will be reviewing Lloyd s approach to aggregation monitoring during 2015. As a first step, Lloyd s will be undertaking a data collection exercise to assess syndicates aggregation of exposures Background As the internet, IT and operational technology have developed over the last 20 years, individuals and businesses have become connected to each other more frequently and in more advanced ways than ever before. This development has impacted how we all do business for the better. At the same time, this has had the consequence of increasing all industries cyber exposure, leading to a dramatic escalation in levels of risk. For the insurance industry, this is an area of new and rapidly growing risk where the Lloyd s market is showing innovation and bringing its specialist insurance expertise to bear. We are keen for Lloyd s underwriters to continue to take that lead. However, while the underwriting of cyber risks provides opportunities for Lloyd s syndicates, Lloyd s is concerned that without proper controls there exists a material risk of a dangerous Page 1 of 5 Lloyd s is authorised under the Financial Services and Markets Act 2000

aggregation of exposure in the market. Lloyd s is also concerned that cyber risk may not be being properly priced for nor the exposures adequately quantified by managing agents. On 1 October 2014 the Performance Management Directorate (PMD) initiated a consultation exercise with the market, via the LMA, to gather thoughts on how cyber risks and exposures should be coded and managed. Lloyd s was pleased with the number and detailed nature of the responses received and wants to extend its thanks to those in the market who found time to provide their views. Having considered the views of the market Lloyd s is introducing a limited number of changes to allow for better monitoring by managing agents and Lloyd s. These changes will allow for more targeted interventions, where required. Specifically, Lloyd s has created a new risk code CZ and is updating the definition of risk code CY. In addition, PMD will be reviewing syndicates policies for monitoring cyber accumulations and loss-estimation, which should comply with the Minimum Standards for exposure-management. The Cyber Scenario data collection exercise will be re-run as part of the 2015 RDS. Cyber exposure scope The changes Lloyd s is implementing are intended to allow better monitoring of cyber exposures which arise from a which for the purpose of this bulletin we label as cyber-attack. Cyber-attack is therefore the cause of loss but the consequences could be property damage, bodily injury or financial loss. These exposures are contained, to a greater or lesser extent, within all classes of business. In the 1 October 2014 consultation, Lloyd s asked consultees if they agreed that Lloyd s should limit its focus to cyber-attack. A range of views was expressed but overall Lloyd s believes that there is a consensus that the primary area of focus should be cyber-attack. The area of cyber coverage is, however, one that is developing rapidly and Lloyd s will keep its approach under review. Cyber risk codes CY and CZ In the 1 October 2014 consultation document we indicated our intention to update risk code CY. In addition, as a result of market feedback, Lloyd s is also introducing a new risk code CZ. These risk codes and their definitions are set out below: CY Cyber security data and privacy breach: Coverage in respect of first or third party costs, expenses or damages due to a breach (or threatened breach) of cyber security and/or privacy of data, that does not include damage to physical property CZ Cyber security property damage: Coverage in respect of first or third party costs, expenses or damages due to a breach of cyber security that includes damage to physical property - Use of codes and Multiple Risks coding The two codes should be used where underwriters are marketing a specific, stand-alone product to respond to cyber losses. Appendix 1 provides more detailed guidance on the use of the risk codes. Page 2 of 5

Where cyber-attack cover is given as an add-on or extension to an existing policy (including where cyber-attack exposure is given as a result of cover not being excluded), then this should continue to be coded according to the predominant parts of the total risk as long as the guidance on the coding of multiple risks is followed. See in particular paragraph 3.5.1 of Risk Codes, Guidance and Mappings (November 2014), which provides: 3.5.1 For insurances providing coverage across two or more risk codes (including those denoting both risk and territorial exposure) and in particular large global policies, the leading underwriter should code the predominant parts of the total risk having regard to the overall exposure of risk and the most likely incidence of future claims. The leading underwriter should endeavour to subdivide the exposure into more than one risk code if the exposure is considered material, and to provide an appropriate division of premium. Note that paragraph 3.5.1 applies to risks where the policy covers both risk codes CY and CZ (i.e. cyber-attack policies covering property damage and breach of privacy) as well as for policies that have both cyber-attack and non-cyber-attack coverage. Underwriting, Exposure Management, Capital and Business Planning Note: the following section applies to all cyber-attack exposures, whether coded CY, CZ or included within coverage provided under a different risk code (and coded as such in accordance with paragraph 3.5.1 of Risk Codes, Guidance and Mappings ). - Underwriting As cyber exposure continues to be a developing area Lloyd s expects that managing agents will take particular care in the underwriting of cyber-attack risks. Managing agents should therefore have processes in place to ensure that cyber-attack exposures are considered in appropriate detail when underwriting and pricing risks. Terms and conditions should be contract certain and where underwriters are excluding cyber-attack it is important to ensure that the wording accurately reflects the underwriter s intentions. - Exposure management and loss-estimation Managing agents are required to manage exposure to cyber-attack in line with Lloyd's current Minimum Standards. This includes: recording, monitoring and reporting cyber exposure, howsoever assumed understanding total exposed cyber aggregate where appropriate, having a defined risk appetite for cyber having defined processes for loss-estimation including scenario-based methods where appropriate and understanding the materiality of potential losses within the context of the syndicate s overall business; such processes should take account of the uncertainty around origin and quantum of losses for cyber Lloyd s will re-run the Cyber Scenario data-collection exercise that formed part of the 2014 RDS. This will be on the same basis as the 1 January 2014 return, meaning that managing agents should include losses from all risk-codes (not just CY) that they believe may have exposure to a cyber event. This will form part of the 2015 RDS return. Page 3 of 5

Following the data-collection exercise, during the first half of 2015 PMD will review the results of the exercise with the LMA and managing agents. PMD will also review syndicate management of cyber-attack exposures as part of Minimum Standards assurance work during 2015. Lloyd's Emerging Risks team will continue to explore additional scenarios to represent other aspects of cyber accumulation risk. - Capital Managing agents should note that cyber-attack aggregation exposures have the potential to impact adversely on a syndicate s capital requirements. - Business Planning While there will now be two cyber related risk codes, Lloyd s does not require managing agents to resubmit their business plans, which will continue to show all cyber business under the CY code. Managing agents should, however, record risks as they are written under the appropriate risk code, either CY or CZ. Where managing agents resubmit their business plan for any other reason then they should update their business plan at that time to show CY and CZ planned business separately. - Atlas system - coverholder class of business permissions All Coverholders who currently have Atlas permissions for Cyber Liability will automatically be given permission for the new Cyber class of business that is replacing Cyber Liability. This will allow for both the CY and CZ risk code. Managing agents therefore do not need to take any further action. Further information Any questions should be directed to your Syndicate Underwriting Performance executive in the first instance or otherwise contact the Class of Business team at: classofbusinessreview@lloyds.com Page 4 of 5

Appendix 1 Detailed guidance on use of CY & CZ risk codes CY Cyber security data and privacy breach CZ Cyber security property damage When should a coding be made to? - When a product is marketed specifically to provide cover for losses flowing from a - Where physical property damage is not covered by the policy - Insurance or reinsurance transactions - When a product is marketed specifically to provide cover for losses flowing from a - Where physical property damage is covered by the policy - Insurance or reinsurance transactions What are the typical features of products? - Privacy/data breach products (which would typically include hacking, malware,, unauthorised use or access to a network, or other breach of cyber security) - Costs and expenses including notification costs, credit file monitoring, regulatory defence costs, forensic costs - Cyber extortion - Cyber terrorism where the target is data or privacy related - Cyber crisis management, PR and reputation coverage - Denial of service attack, Business interruption or additional costs of working - Data restoration costs for damage to data caused by a - Fines and penalties - Cyber-terrorism or cyber-attack cover - infill or gap policies to write back exclusions such as CL380 in any class of business - Business interruption or additional costs of working - Other first and third party cost, expenses or damages may be covered under the policy Page 5 of 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information