Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

Global Warning It is a matter of time before there is a major cyber attackon the global financial system and the public needs to invest heavily in preventing disaster now, or pay an even higher price later on. "They (cyber attackers) are breaking into everything. It is only a matter of time before something happens that is more systematic and problematic". (Benjamin Lawsky, superintendent of the New York State Department of Financial Services)

SafeNet : Breach Level Index Between April and June 2014, have been registered 237 cases in the world, where more than 175 million data records containing customers' personal and financial information have been compromised. Only in the first half of the year, more than 375 million records have been stolen or lost, as a result of 559 cases of cyber crime.

Definitions What is a data breach? A breach is defined as an event in which an individual s name and/or a medical record and/or a financial record and/or debit card is potentially put at risk. Main causes of data breach are criminal attacks, system glitch or human error. The costs of a data breach can vary according to the cause and the safeguards in place at the time of the data breach. What is a compromised record? A record is defined as information that identifies the natural person (individual), whose information has been lost or stolen in a data breach. Examples can include a retail company s database with an individual s name associated with credit card information and other personally identifiable information. Or, it could be a Health s Insurer s record of the policyholder, with physician and/or payment information. Source: 2014 Cost of Data Breach Study: Global Analysis - Benchmark research by Ponemon Institute LLC -May 2014

Breach Level Index (2014 -Q2) The United States lead the ranking of cyber crimeevents, with 88% of the manipulated files in the world.

Scary numbers.. Cyber attacksrepresent one among the most serious risks to economic and national security facing the globe s governments. (Guy Carpenter: Emerging Risks Report, September 2014: Ahead of the Curve: Understanding Emerging Risks)

Most critical sectors according to Gov.ment

Emerging technology threat Technology has redrawn the boundaries of modern society Cyber risk is part and parcel of the transformation of how business is conducted globally, where people interact via smartphones to the commercial internet and social media. It is easy for organisations to be reactive to cyber events and say it will never happen to us, but when the event does happen, it is costly in both financial and reputational terms.

Risk Management Issues Expenses to a breached company can be exceptional, from loss of business to system recovery and reputational damage. Third-party losses can be highly costly: companies may face class action lawsuits and have to pay damages to customers in data breach cases. D&O liability insurance is also being affected by cyber attacks, because directors and officers are facing shareholder and derivative actions alleging directors breached their fiduciary duty to have cybersecurity measures in place. The costs of defending the results of a cyber-attack can include lawyers fees for defending cases in court, keeping cases out of the courts and costs for legal analyses of the situation and recommendations on how to proceed. There are other resultant costs, including expenses for measures taken to notify customers.

Supply Chains Cyber attackswould also create aggregations of risk that spread beyond the corporation to affiliates, counterparties and supply chains A severe cyber attackwould affect the global supply chain, especially around commercial and industrial internet usage. Loss of and tampering with data affect the ability to conduct business, disrupt other business contingents, and seriously impact reputation and associated costs of remediation, litigation and notification of compliance, leading to fines and solvency issues. As a matter of fact, cyber-attacks were ranked fifth among the top five global risks in this year s World Economic Forum s report.

Records by country Source: 2014 Cost of Data Breach Study: Global Analysis -Benchmark research by Ponemon Institute LLC - May 2014

Average data breach costs by Country Average organizational cost of data breach varies by country. The U.S. experienced the highest total average cost at more than $5.85 million, followed by Germany and France. Brazilian and Indian companies experienced the lowest total average cost at $1.61 million and $1.37 million, respectively.

Main causes of data breach Malicious or criminal attacks are most often the cause of data breach globally 42% of incidents involved a malicious or criminal attack, 30% concerned a negligent employee or contractor (human factor), 29% involved system glitches that includes both IT and business process failures Source: 2014 Cost of Data Breach Study: Global Analysis -Benchmark research by PonemonInstitute LLC -May 2014

Pro capita cost by industry classification Certain industries have higher data breach costs. Heavily regulated industries such as healthcare, education, pharmaceutical and financial services have higher per capita data breach costs. Public sector organizations and retail companies have lower ones.

Demand to the insurance industry With the increasing severity and frequency of cyber-attacks and data breaches worldwide, the demand for cyber-specific insurance is growing. The cyber insurance market is thought to be born in 1996. Since then, it has grown to include many types of coverage and today Cyber is a comprehensive term to describe a number of different solutions, providing cover around an organization s computer system, data and other multimedia activities.

Various types of exposures Available covers are normally designed to include: First party loss (property) : data damage and cyber extortion: Destruction, corruption or theft of electronic information and/or data, due to failure of the computer system or network; Threats or extortion relating to release of confidential information or breach of computer security; Business interruption, including income loss and expenses incurred during the period of interruption following a computer system failure or breach of network security or caused by the outage of a service provider, when caused by a computer failure or network security.

Various types of exposures Crisis management and identity theft response: Costs associated with managing the aftermath of a privacy breach including forensic investigation, legal costs, notification costs, call center costs, credit monitoring costs (where identification is stolen and a line of credit is obtained) and public relations costs. Third Party Liability for data privacy: Liability from disclosure of confidential commercial and/or personal information (privacy); Liability from economic losses suffered by third parties, due to a failure of network security. Regulation breaches, fines, and penalties: Defense of regulatory action due to breach of privacy regulation; Coverage for fines and penalties due to breach of privacy regulation.

Reputational risk Reputational risk is probably the biggest concern for many risk managers SafeNetconducted a survey on customer loyalty, revealing that 40% out of more than 4.500 consumers refuse to have business relationship with a company that has suffered a breach of data security. Percentage rises to 65% if the breach relates to financial data.

Overall a complex environment Variety and complexity of the exposures Size and overall potential of the phenomenon Globalization and widespread of involved jurisdictions (cyberspace is transnational, by nature) Lack of historical data Prevent actuaries and underwriters to model cyber-related losses and parameter cyber risk. On the other hand, due to difficulty in evaluating the effective risk and quantifying losses, buyers remain confused about the type of coverage and limits to purchase.

Inadequate response from the market? Although cybercrime is said to cost global economies $445 billion annually (*), the market remains an infant, with the potential to reach as much as $2 billion in gross written premiums this year (source Guy Carpenter). Marsh estimates that the European market is currently only a fraction of that, at around $150 million, but it could reach a size of EUR 700-900 million by 2018. In particular, the European cyber coverage market could get a big boost from the new EU data protection rules, which would force companies to disclose breaches of customer data. (*) Center for Strategic and International Studies

The European perspective In Europe, data is viewed as human right and comprehensive regulation exists to protect the individual s data and privacy The collection and purpose of data is subject to strict conditions and monetary sanctions (EUR 600.000) There is no tradition of class action. Maybe for this reason, the business interruption element (first party) seems to be of greatest importance for the European companies.

The upcoming EU Data protection Reform In February 2013, the European Commission proposed the Cyber Security Directive, containing measures to impose minimum security requirements on business, in terms of network and information security. The EU is now looking to update its data protection regulation, which is expected to come into place in 2015, with a two year implementation period. This will be the EU Data Protection Reform, which will harmonize European law and introduce new measures, including notifications of data breaches and removing data of individuals who withdraw consent for them to be held. Also fines and penalties for noncompliance are expected to increase.

Cinzia Altomare Branch Manager, Facultative General Reinsurance Milan Branch Via Manzoni, 37-20121 Milano tel. +39 02 76211840 mob. +39 348 8620670 cinzia_altomare@genre.com www.genre.com Thank you! Visit genre.com for more info. The material contained in this presentation has been prepared solely for informational purposes by Gen Re. The material is based on sources believed to be reliable and/or from proprietary data developed by Gen Re, but we do not represent as to its accuracy or its completeness. The content of this presentation is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.