Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Aon - Cyber Insurance in the World of Cyber Criminals

42 views

Published on

CSNP Chicago - presented by Stephanie Snyder

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Aon - Cyber Insurance in the World of Cyber Criminals

  1. 1. Cyber Insurance in the World of Cyber Criminals
  2. 2. Aon’s Cyber Solutions Proprietary & Confidential 2 Agenda Does cyber insurance really work? Can it be a meaningful part of cybersecurity resilience?
  3. 3. Aon’s Cyber Solutions Proprietary & Confidential 3 Myth versus Reality ▪ “Cyber insurance doesn’t pay claims” ▪ “NotPetya losses were not covered under cyber policies” ▪ “Cyber insurance causes ransomware attacks” What other things have you heard about cyber insurance?
  4. 4. Aon’s Cyber Solutions Proprietary & Confidential 4 There’s Insurance for That? ▪ New cybersecurity requirements – CA IoT Law (effective 2020); NY Dept of Financial Services ▪ Increasing privacy regulation – CCPA (effective 2020); EU GDPR ▪ Dependent & Contingent Businesses ▪ Technology Dependencies ▪ Information Technology Platform ▪ IoT / Cloud / SaaS solutions ▪ Operational Technology Breach Expenses Evolving Regulation Supply Chain Disruption Reputational Risk Network Business Interruption Liability Technology Infrastructure ▪ Technology Failures ▪ Extended Outages caused by malicious code ▪ Logistics ▪ Net Income Loss + Extra Expense ▪ Network Security Liability ▪ Privacy Liability ▪ Delay in Delivery ▪ Return or Offset in Fees ▪ Contractual Liability / Liquidated Damages ▪ Customer Erosion ▪ Public Relations Costs ▪ Computer Forensics ▪ Software / Hardware Replacement ▪ Data Restoration ▪ Notification / Credit Monitoring
  5. 5. Aon’s Cyber Solutions Proprietary & Confidential 5 Cyber Insurance Coverages Operational Risk ▪ Network Business Interruption ▪ System Failure ▪ Dependent Business Interruption / System Failure ▪ Cyber Extortion ▪ Digital Asset Restoration Privacy and Network Security Risk ▪ Privacy and Network Security Liability ▪ Privacy Regulatory Fines and Penalties ▪ PCI Fines and Penalties ▪ Breach Event Expenses Liability Risk▪ Technology Errors & Omissions ▪ Professional Liability ▪ Media Liability
  6. 6. Aon’s Cyber Solutions Proprietary & Confidential 6 Beware the “Silent Cyber” Note that coverage in policy formscan vary materially from carrier to carrier, and from base policy formsto manuscriptpolicy forms Property? Intellectual Property? Directors & Officers Liability? Marine? General / Product Liability? Environmental? Kidnap & Ransom? Product Recall? Terrorism? Crime? CYBER
  7. 7. Aon’s Cyber Solutions Proprietary & Confidential 7 Notable Data Breach / Privacy Commercial Impacts Organization Approximate Disclosure Date Commercial Impact Financial Components Source Anthem 02/04/2015 $392 million Gross Expenses ($146mm) Security Improvements ($115mm) Class Action Settlement ($115mm) HIPAA Settlement ($16mm) Regulator Settlement U.S. District Court HHS OCR British Airways 10/25/2018 £183 million ICO Fine – Notice of Intent *BA has not established a provision Q2 2019 Earnings Capital One 07/29/2019 $100 to $150 million 2019 Gross Expenses Press Release Equifax 09/07/2017 $1.445 billion £500,000 Gross Expenses to Date ICO Fine (DPA 1998) Q2 2019 Earnings ICO Notice Facebook 03/16/2018 $5 billion $100 million £500,000 FTC Civil Penalty SEC Settlement ICO Fine (DPA 1998) FTC Press Release SEC Press Release ICO Notice Marriott 11/30/2018 $192 million Gross Expenses Includes $126 million ICO Fine Q2 2019 Earnings Target Corporation 12/18/2013 $292 million Gross Expenses 10-K Filing 2017 Yahoo! Inc. (Altaba Inc.) 09/22/2016 12/14/2016 $350 million $117.5 million $35 million $80 million $29 million £250,000 Reduced Acquisition Price Customer Class Action SEC Fine Securities Class Action Shareholder Derivative ICO Fine (DPA 1998) Verizon Press Release U.S. District Court SEC Press Release U.S. District Court U.S. District Court ICO Notice
  8. 8. Aon’s Cyber Solutions Proprietary & Confidential 8 Notable NotPetya Business Interruption Commercial Impacts Organization Commercial Impact Financial Components Source A.P. Moller – Maersk $250-300 million Earnings Reduction Q4 2017 Financials Beiersdorf AG Minimal sales impact €15 million €35mm sales shifted Q2 to Q3 Additional expenses Q2 2017 Financials Q4 2017 Earnings Call FedEx (TNT Express) $400 million Earnings Reduction Q4 2018 Financials Merck & Co. $410 million $380 million 2017, 2018 Sales Reduction Additional Expenses Q4 2017 Financials Q3 2018 Financials Mondelez International ~$104 million $84 million 2017 Sales Reduction Additional Expenses Q4 2017 Earnings Call Q4 2017 Earnings Release Nuance Communications $68 million $31.2 million 2017 Sales Reduction Additional Expenses Q3 2018 Financials Reckitt Benckiser ~£114 million 2% Q2 Sales Reduction 2% Q3 Sales Reduction Press Release Q2 2017 Financials Q3 2017 Financials Saint-Gobain ~€220-250 million €80 million 2017 Sales Reduction 2017 Earnings Reduction Q3 2017 Earnings Release Q1 2018 Earnings Release The NotPetya event began propagating on 6/27/2017; all of the organizations above have an approximate disclosure date of 6/27/2017.
  9. 9. Aon’s Cyber Solutions Proprietary & Confidential 9 Notable Business Interruption Commercial Impacts Organization Approximate Disclosure Date Commercial Impact Financial Components Source Delta (Data Center Outage) 08/08/2016 $150 million Pretax Income Reduction Delta Industry Presentation NHS (WannaCry) 05/12/2017 £19 million £73 million Lost Output IT Costs UK Health & Social Care Norsk Hydro (LockerGoga) 03/19/2019 $45-51 million Lost Output, Margin, & IT Costs Investor Presentation TSB (IT System Failure) 04/24/2018 £33.5 million £125.2 million £49.1 million £122.4 million Sales Reduction Customer Redress & Rectification Fraud & Operational Additional Resource & Advisory Q4 2018 Earnings Release TSMC (Malware Outbreak) 08/03/2018 $85 million Cost of Revenue TSMC Press Release 2018 20F
  10. 10. Aon’s Cyber Solutions Proprietary & Confidential 10 The Cyber Loop: Managing Cyber Risk Requires A Circular Strategy
  11. 11. Aon’s Cyber Solutions Proprietary & Confidential 11 Quantifying Cyber Losses Provide Data-Driven Insights to Improve Operational and Financial Resilience ▪ Identify mission-critical Information Technology ▪ Overlay credible cyber attacks utilizing tailored cyber threat intelligence (CTI) ▪ Attack Path Analysis of identified cyber events ▪ Define commercial parameters of each identified scenario ▪ Utilizing existing BI studies ▪ Data collation of relevant information ▪ Data mining of Aon cyber incidents (+1,500 incidents) and claims data (+900 claims) ▪ Claims data from the Financial sector on similar IT loss scenarios ▪ Financial modelling of first and third party exposures ▪ Risk Tolerance Analysis of each scenario ▪ Evaluate efficacy of existing Client risk mitigation measures, including • Incident Response • BCP / Disaster Recovery • Risk Transfer ▪ Identify improvement roadmap Identify + Analyze Scenarios Data Analysis + Loss Quantification Risk Management Optimization Scenario Analysis Financial Modeling Stress Testing
  12. 12. Aon’s Cyber Solutions Proprietary & Confidential 12 Questions?
  13. 13. About Cyber Solutions Aon’s Cyber Solutions offers holistic cyber risk management,unsurpassed investigative skills,and proprietarytechnologies to help clients uncover and quantifycyber risks,protectcritical assets,and recover from cyber incidents. About Aon Aon plc (NYSE:AON) is a leading global professional services firm providing a broad range ofrisk,retirement and health solutions.Our 50,000 colleagues in 120 countries empower results for clients byusing proprietary data and analytics to deliver insights thatreduce volatility and improve performance. Visit aon.com/cyber-solutions for more information. © Aon plc 2019.All rights reserved. Cyber security services offered by Stroz Friedberg Inc. and its affiliates. Insurance products and services offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida and their licensed affiliates. The information containedherein andthe statementsexpressed are of a general nature and are not intended to addressthe circumstances of any particular individual or entity. Althoughwe endeavor to provide accurate and timely information anduse sources we consider reliable, there can be no guarantee that such information isaccurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examinationof the particular situation.

×