Cyber Insurance Temp


Published on

Cyber Insurance and Cyber Risks

Published in: Economy & Finance, Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cyber Insurance Temp

  1. 1. Cyber Insurance Kshitij Rohan Stuart Shromon Prateek
  2. 2. Cyber-Insurance in a Nutshell <ul><li>Risk sharing </li></ul><ul><ul><li>avoid extreme losses at manageable expenses </li></ul></ul><ul><li>Security metric </li></ul><ul><ul><li>premiums differentiate good and bad risks </li></ul></ul><ul><li>Incentive function </li></ul><ul><ul><li>to develop and deploy sound security technology </li></ul></ul><ul><li>Market for cyber-insurance immature </li></ul><ul><ul><li>losses from cyber incidents in the range of $ 200 bn </li></ul></ul><ul><ul><li>global cyber-insurance market < $ 2 bn -Majuca et al., 2006 </li></ul></ul><ul><li>(Danger of) High correlation of cyber-risks </li></ul><ul><ul><li>due to homogeneous technology -Geer et al., 2003 </li></ul></ul>
  3. 3. Information Technology
  4. 4. Cyber Crime <ul><li>Cyber crime is usually restricted to describing criminal activity in which the computer or network is an essential part of the crime, this term is also used to include traditional crimes in which computers or networks are used to enable the fraudulent activity. </li></ul><ul><ul><li>Spamming and criminal copyright crimes </li></ul></ul><ul><ul><li>Unauthorized access (i.e, defeating access controls), malicious code </li></ul></ul><ul><ul><li>Theft of service like any financial frauds </li></ul></ul><ul><ul><li>Social engineering frauds (e.g., hacking, identity theft, child pornography, online gambling, securities fraud) </li></ul></ul>
  5. 5. Cyber Crime <ul><li>Cyber crimes that are most frequently conducted are : </li></ul><ul><ul><li>Theft of information contained in electronic form </li></ul></ul><ul><ul><li>Virus / worm attacks </li></ul></ul><ul><ul><li>Trojan attacks </li></ul></ul><ul><ul><li>Web jacking </li></ul></ul><ul><li>Computer security breaches can have </li></ul><ul><ul><li>a first-party impact (on the firm itself) </li></ul></ul><ul><ul><li>a third-party impact (on clients). </li></ul></ul>
  6. 6. Example <ul><li>The ICICI Bank Example </li></ul><ul><ul><li>A few customers of ICICI Bank received an e-mail asking for their Internet login name and password to their account. </li></ul></ul><ul><ul><li>The e-mail seemed so genuine that some users even clicked on the URL given in the mail to a Web page that very closely resembled the official site. </li></ul></ul><ul><ul><li>Such a scam is known as 'phishing.‘ </li></ul></ul><ul><ul><li>On submission of the confidential information the information was directed to another email ID. </li></ul></ul>
  7. 7. Classes of Cyber-Risks Insider attack Hardware failure Configuration vulnerability (user settings) Configuration vulnerability (default settings) Viruses and worms Targeted hacker attack Standard software exploit requiring user interaction Remote standard software exploit Systemic errors (Y2K, break of assumed secure cryptography)
  8. 8. Cyber-Insurance Scenario Global Risk Correlation Decisions are made at firm-level
  9. 9. Cyber-Insurance Scenario Internal Risk Correlation Decisions are made at firm-level
  10. 10. Two-Step Risk Arrival
  11. 11. Who needs cyber insurance? <ul><li>Do you ? </li></ul><ul><ul><li>Use e-mail </li></ul></ul><ul><ul><li>have networked PCs </li></ul></ul><ul><ul><li>Web site </li></ul></ul><ul><ul><li>private customer data in your computer systems </li></ul></ul><ul><li>You may </li></ul><ul><ul><li>have firewalls </li></ul></ul><ul><ul><li>virus protection </li></ul></ul><ul><ul><li>anti-spam systems </li></ul></ul><ul><ul><li>prudent procedures to protect passwords </li></ul></ul><ul><ul><li>prevent employees from downloading dangerous material </li></ul></ul>
  12. 12. What is Cyber Insurance ? <ul><li>The steadily rising number of cyber crimes bring new urgency to efforts to strengthen IT security at every level. </li></ul><ul><li>IT security has traditionally referred to technical protective measures such as firewalls, authentication systems, and antivirus software to counter such attacks. </li></ul><ul><li>The most effective way to provide relatively comprehensive coverage for computer disasters is through cyber insurance. </li></ul><ul><li>Cyber insurance is considered a method of better managing IT security threats because cyber-policies cover areas normal insurance policies do not. </li></ul>
  13. 13. Coverage's.. <ul><li>Typical coverage's include the following: </li></ul><ul><ul><li>First-party business interruption covers revenue lost during system downtime caused by accidents and security breaches. </li></ul></ul><ul><ul><li>First-party electronic data damage covers recovery costs associated with compromised data </li></ul></ul><ul><ul><li>Third-party network security liability covers losses associated with the compromise and misuse of data for such purposes as identity theft and credit card fraud. </li></ul></ul><ul><ul><li>Third-party media liability covers infringement and liability costs associated with Internet publishing, including Web sites, e-mail and other interactive online communication. </li></ul></ul>
  14. 14. Types of Cyber Insurance <ul><ul><li>Privacy and security liability. </li></ul></ul><ul><ul><li>Crisis management </li></ul></ul><ul><ul><li>Business interruption, denial-of-service attack and lost income </li></ul></ul><ul><ul><li>Cyber extortion </li></ul></ul><ul><ul><li>Media or web content liability </li></ul></ul>
  15. 15. Cost of Cyber Insurance <ul><li>Premiums vary according to your situation and the amount of coverage </li></ul><ul><li>Most companies issue stand-alone policies </li></ul><ul><ul><li>AIG’s netAdvantage </li></ul></ul><ul><ul><li>Chubb’s SafetyNet and CyberSecurity </li></ul></ul><ul><li>Annual premium would be $3,500 for about $1 million in coverage, with a $5,000 deductible, That would cover privacy and network security suits, identity theft resolution and Web content liability. </li></ul>
  16. 17. How does Cyber Insurance work ? Value-Vulnerability Grid
  17. 18. Cyber-Insurance Management Framework
  18. 19. Decision Plan
  19. 20. Benefits Of Cyber Insurance <ul><li>Prospective benefits of well-functioning markets for cyber-insurance include </li></ul><ul><ul><li>a focus on market-based risk management for information security, with a mechanism for spreading risk among participating stakeholders; </li></ul></ul><ul><ul><li>greater incentives for private investments in information security that reduce risk not only for the investing organization but also for the network as a whole; </li></ul></ul><ul><ul><li>better alignment of private and public benefits from security investments; </li></ul></ul><ul><ul><li>better quantitative tools and metrics for assessing security; </li></ul></ul><ul><ul><li>data aggregation and promulgation of best practices; and </li></ul></ul><ul><ul><li>development of a robust institutional infrastructure that supports information security management. </li></ul></ul>
  20. 21. Benefits Of Cyber Insurance <ul><ul><li>Thus cyber-insurance can, in principle, be an important risk-management tool for strengthening IT security and reliability, both for individual stakeholders and for society at large. </li></ul></ul><ul><ul><li>But are these prospective benefits realistic and achievable? </li></ul></ul>
  21. 22. Trends In Cyber Insurance <ul><ul><li>Pre 1990: little commercial demand for property or liability insurance specifically covering losses from network security breaches or other IT-related problems. </li></ul></ul><ul><ul><li>Rapid growth of e-commerce kindled significant interest in such coverage. The Y2K computer problem, although ultimately resulting in little direct damage or loss, brought further attention to cyber-risk issues and pointed out the limitations of existing insurance coverage for IT failures. </li></ul></ul><ul><ul><li>Potential liability from IT security breaches has increased as a result of federal legislations in the US and Europe. </li></ul></ul>
  22. 23. Trends In Cyber Insurance <ul><ul><li>Mid 90s: few insurance companies developed specialized policies covering losses from computer viruses or other malicious code, destruction or theft of data, business interruption, denial of service, and/or liability resulting from e-commerce or other networked IT failures. </li></ul></ul><ul><ul><li>Coverage was spotty and limited, but premiums were high. Moreover, numerous legal disputes arose over whether such losses could come under general commercial property or liability policies that were written to cover direct physical damage to tangible assets. </li></ul></ul>
  23. 24. Trends In Cyber Insurance <ul><ul><li>Businesses now generally buy stand-alone, specialized policies to cover cyber risks. According to Betterley Risk Consultants surveys, the annual gross premium revenue for cyber insurance policies has grown from less than US$100 million in 2002 to US$300 to 350 million by mid 2006. </li></ul></ul><ul><ul><li>Industry experts believe that cyber insurance will be one of the fastest growing segments of the property and casualty market over the next several years. </li></ul></ul>
  24. 25. Trends in Cyber Insurance..
  25. 26. Limitations for Cyber Insurance <ul><li>Asymmetric information </li></ul><ul><ul><li>A problem that exists for most established insurance markets as well as cyber insurance. </li></ul></ul><ul><ul><li>Insurance companies feel the effect of asymmetric information both before and after a customer signs an insurance contract. </li></ul></ul><ul><ul><li>Adverse selection problem </li></ul></ul><ul><ul><ul><li>Customer who has a higher risk of incurring a loss will find insurance at a given premium more attractive than a lower-risk customer. Differentiating between these two types of customers is crucial to run a profitable business. </li></ul></ul></ul><ul><ul><li>There are methods to reduce asymmetric information between insurer and policyholder, but none of them are fool-proof. </li></ul></ul>
  26. 27. Limitations for Cyber Insurance <ul><ul><li>Second impact occurs after an insurance contract has been signed. </li></ul></ul><ul><ul><ul><li>Insured parties can take actions that increase or decrease the risk of claiming, but insurer can‘t observe the insured’s actions perfectly. The problem of moral hazard also arises under full insurance cover. </li></ul></ul></ul><ul><ul><li>Partial insurance and clauses may mitigate certain actions by insured and clauses in the insurance contract. </li></ul></ul><ul><ul><li>Many actions remain unobservable. </li></ul></ul><ul><ul><li>Problem of asymmetric information is common to all insurance markets; however, most markets function adequately given the range of tactics used by insurance companies to overcome these information asymmetries. Many of these remedies have developed over time in response to experience and result in the well-functioning insurance markets we see today. </li></ul></ul>
  27. 28. Limitations for Cyber Insurance <ul><li>Interdependent and correlated risks </li></ul><ul><ul><li>To face a steady claim stream and avoid large spikes in payouts, insurers must maintain a sufficiently large policyholder base and insure risks that are relatively independent and uncorrelated. </li></ul></ul><ul><ul><li>In the case of cyber insurance, risks might be correlated and interdependent. </li></ul></ul><ul><ul><li>Events that are likely to result in concurrent claims from a substantial proportion of policyholders impose a high probability of ruin on a cyber-insurer. </li></ul></ul>
  28. 29. Limitations for Cyber Insurance <ul><li>Inadequate reinsurance capacity </li></ul><ul><ul><li>Insurers face events that prompt many claims at once, such as large natural disasters. </li></ul></ul><ul><ul><li>Primary underwriters can limit their total exposure by passing some of their risk to well-capitalized reinsurers. </li></ul></ul><ul><ul><li>Geographically diversifying or even quantifying cyber-risks seems more problematic, however, because cyberattacks might be globally correlated and interdependent. </li></ul></ul><ul><ul><li>Paucity of prior claims data coupled with the plausibility of simultaneous attacks worldwide make reinsurers reluctant to provide catastrophe protection for business interruption or related cyberlosses that some think could reach US$100 billion. </li></ul></ul>
  29. 30. Limitations for Cyber Insurance <ul><ul><li>Insurers and reinsurers have spent a tremendous amount of time and resources to quantify the actual expected losses to any existing or theoretical portfolio of risks. </li></ul></ul><ul><ul><li>The Internet is very unique in that on the surface at least, it does not look to be able to be modeled in this way. Whereas natural perils losses occur in a specific geographical location, the Internet is both everywhere and nowhere at the same time, while the perils to be protected are still being fully identified and defined. </li></ul></ul><ul><ul><li>The practical consequences of correlated and interdependent risks are seen in limited reinsurance capacity, which makes it difficult for large firms to obtain large cyber insurance policy limits. </li></ul></ul>
  30. 31. Thank You !!!!