3. cyber as a
PERIL
cyber event
SCENARIOS
uses
REAL WORLD
Understanding the terms of
art
Tools to translate between
silos
Key categories of cyber
risk
Information theft
Property damage
Environmental damage
Computer systems damage
Understanding motivations
Risk transfer challenges
and optimization
Effective controls to
minimize the risk
6. RISK
Sustain Capability
Invest in TransferInvest in Capability
CYBERSECURITY CAPABILITY
1. Early
capability
improvements
have high payoff
in risk reduction
2. Payoff flattens
as capability
increases
3. Insurance
transfers impact and
results in a quantum
risk reduction
4. Insurers want
insureds to be on
the flatter part of
the capability
curve
5. Invest accordingly
Risk Reduction Curve
23. 1990 2000 2010
EVENTS
COVERAGES
Ingram Micro
v. American
Guarantee & Liability
CA SB 1386 Breach
Notification
45 Other
Notification
Laws
STUXNET NotPetya
More robust electronic
data exclusions
P&C carriers strengthen
exclusions, e.g. CL380
P&C carriers rethinking
coverage due
to NotPetya
Cyber coverages
begin to appear.
Network Business Interruption
Information Asset Protection
Privacy Breach
Liability Coverage
Breach Regulatory
Event Expense
• Introduction of Cyber DIC and P&C Options
• Broadening of traditional cyber policies
• Introduction of cyber cover into property
policies
25. CYBER INSURANCE
POLICIES
1st Party Damages 3rd Party Damages
Financial
Damages
Non-Physical
Cyber
Forensics, Data
Restoration, PR,
Extortion, & Legal
Expenses
Excludes Property
Damage & Bodily
Injury
Critical for
Protecting Data &
Exposure
26. Non-Physical
Cyber
Critical for
Protecting Data &
Exposure
PROPERTY
POLICIES?
CASUALTY
POLICIES?
Tangible
(Physical)
Damages
CYBER INSURANCE
POLICIES
1st Party Damages 3rd Party Damages
Financial
Damages
Emerging Issue in
Established
Market
Market in Flux –
Exclusions Being
Added to
Traditional Covers
27. Emerging Issue in
Established
Market
Market in Flux –
Exclusions Being
Added to
Traditional Covers
PROPERTY
POLICIES?
CASUALTY
POLICIES?
Tangible
(Physical)
Damages
CYBER INSURANCE
POLICIES
1st Party Damages 3rd Party Damages
Financial
Damages
28. Expanding
policies into
tangible
damages
Newer Property
PoliciesTangible
(Physical)
Damages
1st Party Damages 3rd Party Damages
Financial
Damages
Property policies are
increasingly providing coverage
for data, even when there is no
real property damage
Some cyber insurers – who may
not even write commercial
Property or Casualty insurance –
are extending their cover to
tangible damage
32. MYTH
REALITY
VS
Cyber insurance policies
contain stringent
requirements relating to
security posture.
Cyber insurance policies
don’t cover
ransomware.
Cyber insurance policies
don’t cover employee
actions or errors.
If yours has such
requirements, you
may have purchased
the wrong policy.
There are multiple
types of policies
available to cover
ransomware losses and
payments.
Employee sabotage
and insider events
are readily insurable.
Cyber insurance policies
only cover notification
costs and credit
monitoring.
Cyber Insurance policies
don’t pay.
Buying insurance is an
admission of failure.
…what have we covered
today?
Stories about claim
denials may have been
misrepresentations or
sensationalized.
Would you rather have
to beg your CFO for
incident response
money?
35. 1st Party Damages
(to your organization)
3rd Party Damages
(to others)
Financial
Damages
Tangible
(Physical)
Damages
RESPONSE COSTS
LEGAL EXPENSES
RESTORING LOST
DATA
REVENUE LOSS
REVENUE LOSS
MECHANICAL
BREAKDOWN
PROPERTY
DAMAGE
36.
37. 1st Party Damages
(to your organization)
3rd Party Damages
(to others)
Financial
Damages
Tangible
(Physical)
Damages
RESPONSE COSTS
LEGAL EXPENSES
RESTORING LOST
DATA
REVENUE LOSS
RESTORATION
EXPENSE
LEGAL
EXPENSES
CREDIT
MONITORING
COSTS