EB
Uploaded byEthan S. Burger
PPTX, PDF410 views

Ci2 cyber insurance presentation

The document discusses the challenges facing the cyber insurance market, noting its immaturity and the inadequacy of coverage provided to organizations, which may lead to financial crises. Although a robust cyber insurance market could promote preventative measures against cyber threats, many organizations remain under-insured and face high risks from potential cyber attacks. The document also highlights the systemic risks associated with cyber events and the role of governmental intervention in the industry's future.

Law

Embed presentation

Downloaded 30 times
5/19/2018 Institute of World Politics © Proprietary 2017 Santa Clara University May 3, 2018 Cyber Intelligence initiative (Ci2) Ethan S. Burger Institute of World Politics, Washington, D.C.
Institute of World Politics © Proprietary 2017 Can We Avert A Cyber-Insurance Market Crisis? May 3, 2018
Institute of World Politics © Proprietary 2017 . . . . PROBABLY NOT  The “immature” cyber insurance market fails to supply products that a majority of private organizations deem to be worth buying. This situation is unlikely to change in the foreseeable future.  Even those organizations that procure cyber-insurance are likely to ‘discover’ that their policies provide insufficient (e.g., face-values are too low) or inadequate cover (e.g., too many exclusions and reasons for denying claims), forcing these ‘insureds’ to absorb the costs of cyber-attacks on their own.  Many cyber insurance providers and their reinsurers seem to lack sufficient financial assets to cover multiple extreme cyber events, the consequences of which will be felt throughout the insurance industry and the national economy. .˙. As a result, extreme harm from cyber-attack campaigns against the national infrastructure and particular sectors (e.g., financial, energy), locales (e.g., city clusters), relationships (e.g., users of one cloud provider) will have a cascading effect likely to damage supply chains and consumer confidence, ultimately the magnitude of harm will create crises triggering governmental intervention.
Institute of World Politics © Proprietary 2017 Although Officially Agnostic, the Department of Homeland Seems To Promote Cyber-Insurance Cybersecurity insurance is designed to mitigate losses from a variety of cyber incidents, including data breaches, business interruption, and network damage. A robust cyber-insurance market could reduce the number of successful cyber attacks by: (i) promoting the adoption of preventative measures (good cyberhygiene in return for more coverage; and (ii) encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection.
Institute of World Politics © Proprietary 2017 Can Organizations Achieve Meaningful Cybersecurity’? What metrics to use? Individual organizations? Systemic approach? Cyber Maginot Line?
Institute of World Politics © Proprietary 2017 Threat Maps Highlight the Constancy of Cyber Attacks http://map.norsecorp.com/# https://cybermap.kaspersky.com https://community.blueliv.com/map http://en.blitzortung.org/live_lightning_maps.php https://www.fireeye.com/cuber-map.html http://www.csoonline.com/article/2366962/microsoft-subnet/spellbound-by- maps-tracking-hack-attacks-and-cyber-threats-in-real-time.html
Institute of World Politics © Proprietary 2017 One Cannot Control Collateral Damage (Systemic Risk) Due to Cyber Attacks The Government seeks to protect '.gov' and '.mil' addresses, not 'com.’ (i.e. the rest of us). Former FBI Special Agent Clint Watts paraphrasing former National Security Advisor Tom Bossert; note that White House Cybersecurity Coordinator Robert Joyce also “stepped down last month. What are the implications for proponents of the Active Cyber Defense Certainty Act?
Institute of World Politics © Proprietary 2017 Blackhat USA 2017 Survey: Portrait of an Imminent Cyberthreat  60% of respondents believe that a successful cyber attack on US critical infrastructure will occur in the next 24 months.  69% are very concerned about state-sponsored hacking from countries such as China, Iran, North Korea, and Russia.  31% think it is likely that their organization will have to respond to a major security breach in the next 12 months.  59% fear they don’t have enough staff to meet the threat.  58% believe they don’t have adequate budgets. N = 580 Information Security Professionals
Institute of World Politics © Proprietary 2017 Are Cybersecurity Efforts Ultimately Futile? Exhibit 1: Not Necessarily: Consider the [Not]Petya Wiper Attack: “ “Cyberattack Hits Ukraine Then Spreads Internationally,” New York Times, June 27, 2017.
Institute of World Politics © Proprietary 2017 The Recent Wanna Cry & [Not]Petya Cyber-Attacks  These viruses were propagated without human intervention, but they are not regarded as very sophisticated. Estimated to have caused harm in the low billions of dollars, almost all of which will not be covered by insurance.  Whereas Wanna Cry ransomware was designed for financial gain, NotPetya seems to have been politically driven (attributed by UK and US to Russia( – seeking to maximize harm. Initial attacks against Ukrainian state bodies, it spread to DLA Piper (a U.S. firm), FedEx (U.S. delivery service company), MAERSK (Danish-based shipping company), Merck (U.S, pharmaceutical company), Rosneft (Russian oil company), and many others.  Good cyber-hygiene practices could have prevented infection. Only a minority of the victims carried stand-alone cyber insurance. But the common exclusions for failing to install patches, nation-state attackers, or otherwise failing to follow good cybersecurity practices are likely to prevent recoveries from insurers.
Institute of World Politics © Proprietary 2017 I People Will Always be Susceptible to Social Engineering The Insider Threat Cannot be Controlled Through Vetting & Monitoring “Hacks Raise Fear Over N.S.A.’s Hold on Cyberweapons,” New York Times, June 27, 2017.
Institute of World Politics © Proprietary 2017 I Social Engineering Will Defeat the Best Cybersecurity Systems http://www.cnn.com/2017/07/31/politics/white-house-officials-tricked-by-email-prankster/index.html
Institute of World Politics © Proprietary 2017 Full Disclosure: My Views Have Been Strongly Influenced by: Lloyd’s/Cyence, Counting the cost: Cyber exposure decoded,” Emerging Risks Report 2017 Technology, July 2017 (the Lloyd’s Study); Martin Ering & Jan Hendrick Wirfs, Cyber Insurance: Too Big to Insure, Institute of Insurance Economics, University St. Gallen, 2016, (the ‘IIE Study’); and Sasha Romanosky, et al., Content Analysis of Cyber Insurance Policies: How do carriers write policies and price cyber risk, Rand White Paper (Draft), 2017 (the ‘Rand Study’).
Institute of World Politics © Proprietary 2017 Lloyd’s Study on Insurance Industry’s Cyber Risk  Lloyd’s of London issued a study suggesting that a global cyber-attack could cause harm greater than $53 billion (on average), and possibly as high as $121 billion.  The larger of these sums exceeds the damage caused by any natural disaster in the U.S. since 1980 – excluding Harvey ($125 Billion), Katrina ($105 billion), Maria ($90 Billion), California Fires, and Sandy ($70 billion).  According to Munich Re, in 2017, total insured losses from natural disasters $135 Billion with total losses of $330 Billion (the highest ever was $354 Billion in 2011).
Institute of World Politics © Proprietary 2017 IIE Study’s Key Findings ‘Cyber risks of daily life’ are usually insurable (e.g. data privacy risks). Nonetheless, organizations generally under-insure in cybersecurity. ‘Questionnaire only’ applications are unlikely to result in suitable cyber-insurance policies. Both organizations and the public benefit if the organizations go through the underwriting process. Completing an insurance application is an educational exercise, forcing one to think about cybersecurity, develop written cybersecurity policies, practices, and procedures), discuss cyber issues, inventory assets, preparing plans, etc. Sometimes insureds are afraid of the consequences of making an insurance claim. ‘Extreme Scenarios’ (e.g., a breakdown of the critical infrastructure) are difficult to insure, given the lack of good actuarial data, cumulative risk, and other problems of insurability. These scenarios are extremely likely to materialize in the next ten years. Hence, a two-tier approach might be appropriate: (i) improve insurability for ‘cyber risks of daily life’’ and engage in industry-wide cooperation; and (ii) address ‘extreme scenarios’ to the extent possible (e.g. look towards government programs and sector initiatives).
Institute of World Politics © Proprietary 2017 CYBER INSURANCE MARKET WATCH SURVEY (May 2017) Market Trends 32% of respondents’ clients purchased at least some form of cyber coverage. 27% of respondents’ clients purchased cyber insurance for the first time in the past six months. 44% of respondents’ clients increased their coverage in the past six months. 76% of those with cyber insurance have standalone policies. Pricing Trends $6 MILLION IS THE TYPICAL INSURANCE POLICY LIMIT, BUT POLICIES FOR $300-500 MILLION ARE AVAILABLE. ! ! ! 31% of respondents said premium prices generally decreased over the last six months (SURPRISING Outcome). Underwriting 42% of respondents have seen some tightening of carrier underwriting practices in the last six months. 75% of respondents believe there is adequate clarity as to what is included and excluded under a cyber policy (SURPRISING VIEW ! ! !). 98% of respondents noted that capacity in the market is either plentiful or increasing. Cybersecurity/Cyber Risk 72% of respondents have a strategic approach to marketing and educating clients about cyber risks. 31% of respondents’ clients have an information security program in place, focused on prevention, detection, containment, and response.
Institute of World Politics © Proprietary 2017 Principal Properties of Cyber Risks  Cyber-losses results in both short-tail and long-tail losses.  There are 1st and 3rd Party (i.e., property and liability) losses.  4Pas  Cyber losses are not independent events (correlations between cyber risk).  Cyber insurance market has a small number of providers (≈ 60) and as a percentage of portfolio value .  Human beings are the weakest link (victims of social engineering & negligence)  Uncertainty about data (modeling approaches untested actuarial standards).  Risk of change (historical data is not necessarily a good indicator of the future).  Extreme events are difficult to estimate (low frequency, high severity occurrence).  Insurance coverage limited (high deductibles are common).
Institute of World Politics © Proprietary 2017 Cyber-Insurance Market Place Reality Report for 2018 (Willis Towers Watson, December 2017) 1. “Total annual premiums collected will climb as more companies seek coverage.” 2. It is not clear that “capacity will keep up with rising demand, helping keep rates in check” in light of NY Cybersecurity Requirements for Financial Services Companies & EU General Data Protection Regulations (GDPA) – both will serve as models. 3. “Carriers will scrutinize risks, rewarding those with the most robust cybersecurity programs” allowing them to be more particular about whom them will insure. 4. “Demand for coverage will shift” to Europe and East Asia. 5. Coverage will expand as carriers address gaps in property, general liability and special crime coverage as cyber policies themselves (ransomware, social engineering, terrorism).
Institute of World Politics © Proprietary 2017 1ST PARTY INSURANCE COVERAGE  Loss or Damage to Electronic Data -- cover losses caused by damage, theft, disruption or corruption of data due to covered peril (e.g., hack, virus, or denial of service, but seldom employee error including social engineering such as costs to restore, recover. and reconstruct data).  Loss of Income and/or Extra Expenses -- covers income lost and extra expenses incurred to avoid or minimize a shutdown of business due to a covered peril.  Loss of Property -- covers physical damage to buildings, fixtures, land (e.g., clean-up), or personal property loss.  Cyber Extortion Losses – covers expenses incurred (with the insurers’ consent) due to extortion demand, (e.g., ransomware).  Notification Costs – covers costs of notifying parties mandated by government statutes or regulations (breaches and identity theft), as well as for legal counsel, credit protection services, and call centers).  Other Insurance – damage to reputation (marketing and public relations); crime (various); Fidelity Bonds, terrorism (Terrorism Risk Insurance Act (TRIA)). 3RD PARTY INSURANCE COVERAGE  Network Security Liability -- covers harm due to data breaches or to the inability of others to access data on insureds’ computer systems. There is also cover where the insured’s personnel or IT systems (e.g. as a result of botnets causing harm to another).  Network Privacy Liability -- covers harm based on allegations that insureds failed to properly protect sensitive data stored on their computer systems. The data may belong to customers, clients, employees, and other parties (is “privity” a problem?).  Electronic Media Liability -- covers harm for acts like libel, slander, defamation, copyright infringement, invasion of privacy or domain name infringement (is “publication” an issue?).  Costs Connected to Regulatory Proceedings -- covers damages, defense costs, fines, etc.
Institute of World Politics © Proprietary 2017 Some Common Cyber-Insurance Policy Exclusions  Data taken from paper and similar records.  Employee privacy claims for released data.  Fraud, intentional, and illegal misconduct committed by insured.  Lack of cyber-hygiene (failure to encrypt data or install software updates and security patches).  Mechanical/electronic failure and other acts of God.  Mobile electronic devices (computers, cell phones, etc.).  Nation-states, organized criminal groups, and terrorists (and persons acting on their behalf). Attribution issues will arise, but how is the final coverage decision reached? It will be a costly, inexact process.  Patent, software, copyright infringement.  Prior notice (knowledge, suspicions).  Secondary liability for personal injury & property damage.  Vicarious liability for data breaches by third-party vendors.
Institute of World Politics © Proprietary 2017 Why is the Cyber-Insurance Market Not ‘Mature’?  Insufficient actuarial data to support meaningful underwriting (unlike automobile, home-owner, and maritime insurance). Lack of trust between insurance companies and potential insureds. Are the applications complete and candid? If they are not, insureds will have difficulty collected on claims.  Insurance companies are eager to write cyber-insurance policies to cash in on a new market, albeit with an insufficient understanding of their potential financial exposure due to cumulative risk. As a consequence, there are incentives for insurance companies to find reasons for denying coverage.  Cyber-insurance policies lack standard (and tested) language. Cyber-insurance is not a commodity since it is crafted for the insureds, whose profiles vary considerably. Litigation outcomes are unpredictable.  Key development: Allianz will provide discounted cyber security insurance coverage to customers that use certain Apple devices and Cisco security products. Aon will perform security consulting.
Institute of World Politics © Proprietary 2017 Disquieting Questions About Cyber-Insurance  If the global value of cyber-insurance premiums written is estimated at $3.5bn, but the global cost of cyber-crime exceeds $450bn annually (see Aon chief warns that insurance industry is losing its relevance, FT, 4/25/2018) can the ‘cyber-insurance market’ be viable?  When the cyber-insurance policy is in force, how can insurers be confident that the insureds’ cybersecurity ‘baseline’ are being observed?  Rather than a cyber 9/11 or Pearl Harbor, is the interconnected of the economy and the Internet of Things likely to cause a collapse in consumer and business confidence.
Institute of World Politics © Proprietary 2017 What’s a Government to Do? Federal Government (alone or with National Association Insurance Commissioners) can: 1. Promote through incentives the use of standardized insurance policy provisions and language to promote underwriting standards to strengthen the cyber-insurance market; 2. Create cyber-insurance policy pools; and 3. Establish either federal flood or terrorism-like programs (but Flood Insurance Program is insolvent). Two Obstacles: 1. Lack of political consensus of relevant roles and responsibilities of government (note Flood Insurance Program has a huge deficit). 2. Given problems with the Affordable Care Act, is it realistic to expect the government to take on role of national cyber hygienist?
Institute of World Politics © Proprietary 2017 QUESTIONS CONTACT OUR SPEAKER ETHAN S BURGER AT ethansb@post.harvard.edu

More Related Content

PPTX
The Basics of Cyber Insurance
byHB Litigation Conferences
 
PPT
Cyber Insurance Temp
byRohan Sehgal
 
PDF
10 Reasons to buy Cyber Liability Insurance
byHubbard Insurance Group
 
PDF
Managing and insuring cyber risk - coverage of insurance policies
byIISPEastMids
 
PDF
Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
byPaige Rasid
 
PPTX
Cyber Liability - Insurance Risk Management and Preparation
byEric Reehl
 
PPT
Statewide Insurance Brokers - Cyber Insurance 101
byStatewide Insurance Brokers
 
PDF
CMW Cyber Liability Presentation
bySean Graham
 
The Basics of Cyber Insurance
byHB Litigation Conferences
 
Cyber Insurance Temp
byRohan Sehgal
 
10 Reasons to buy Cyber Liability Insurance
byHubbard Insurance Group
 
Managing and insuring cyber risk - coverage of insurance policies
byIISPEastMids
 
Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
byPaige Rasid
 
Cyber Liability - Insurance Risk Management and Preparation
byEric Reehl
 
Statewide Insurance Brokers - Cyber Insurance 101
byStatewide Insurance Brokers
 
CMW Cyber Liability Presentation
bySean Graham
 

What's hot

PDF
Cyber Liability Risk
byChristopher Rieser
 
PDF
Cyber liaility insurance the basics
byChandrasekar Koushik ACII®
 
PDF
Cyber Insurance - The Basics
byChris Stallard
 
PPTX
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
byDon Grauel
 
PDF
Protecting Your Business From Cyber Risks
byThis account is closed
 
PPTX
CS3: Cybersecurity Extortion & Fraud
byPaige Rasid
 
PPTX
Banks and cybersecurity v2
bySemir Ibrahimovic
 
PPTX
CYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMS
byHB Litigation Conferences
 
PDF
Cybersecurity and The Board
byPaul Melson
 
PPTX
Cybersecurity & the Board of Directors
byAbdul-Hakeem Ajijola
 
PPT
Data Risks In A Digital Age
bypadler01
 
PDF
Cyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
byStatewide Insurance Brokers
 
PPT
Shaping Your Future in Banking Cybersecurity
byDawn Yankeelov
 
PPTX
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
byGovernment Technology and Services Coalition
 
PPTX
Cyber Insurance CLE
bySarah Stogner
 
PPTX
Mass 201 CMR 17 Data Privacy Law
byguest8b10a3
 
PPTX
New York Department of Financial Services Cybersecurity Regulations
byShawn Tuma
 
PDF
BEA Presentation
byGlenn E. Davis
 
PDF
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
bySafeNet
 
PDF
The Legal Case for Cybersecurity
byShawn Tuma
 
Cyber Liability Risk
byChristopher Rieser
 
Cyber liaility insurance the basics
byChandrasekar Koushik ACII®
 
Cyber Insurance - The Basics
byChris Stallard
 
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
byDon Grauel
 
Protecting Your Business From Cyber Risks
byThis account is closed
 
CS3: Cybersecurity Extortion & Fraud
byPaige Rasid
 
Banks and cybersecurity v2
bySemir Ibrahimovic
 
CYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMS
byHB Litigation Conferences
 
Cybersecurity and The Board
byPaul Melson
 
Cybersecurity & the Board of Directors
byAbdul-Hakeem Ajijola
 
Data Risks In A Digital Age
bypadler01
 
Cyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
byStatewide Insurance Brokers
 
Shaping Your Future in Banking Cybersecurity
byDawn Yankeelov
 
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
byGovernment Technology and Services Coalition
 
Cyber Insurance CLE
bySarah Stogner
 
Mass 201 CMR 17 Data Privacy Law
byguest8b10a3
 
New York Department of Financial Services Cybersecurity Regulations
byShawn Tuma
 
BEA Presentation
byGlenn E. Davis
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
bySafeNet
 
The Legal Case for Cybersecurity
byShawn Tuma
 

Similar to Ci2 cyber insurance presentation

PPTX
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
byJay Kesan
 
PDF
Cover and CyberSecurity Essay
byMichael Solomon
 
PDF
Cloud security law cyber insurance issues phx 2015 06 19 v1
byMichael C. Keeling, Esq.
 
PDF
6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...
byCNseg
 
PPTX
Cyber Insurance as Digital Strategy
byRandeep Sudan
 
PPTX
Ransomware Bootcamp with CTEK and GroupSense
bySophiaPalmira1
 
PPTX
CynergisTek’s Ransomware Bootcamp
bySophia Price
 
DOCX
Curious case of cyber insurance
byHimanshu Pareek
 
PDF
Global Cyber Market Overview June 2017
byGraeme Cross
 
PPTX
Clinton- Cyber IRT Balto 10_2012
byDon Grauel
 
PPTX
What Building Owners Need to Know About Cyber Security Insurance!
byMemoori
 
PDF
Accounting for Cyber Risks - How much does Cyber actually cost the Industry?
byJef Lacson
 
PDF
Digital economy and its effect on cyber risk
byaakash malhotra
 
PDF
Cyber Insurance Mathematical Model & Pricing
byBaraDaniel1
 
PDF
Lynch2015 - History Likely Not Enough to Price Ever-Shifting Cyberrisk
byRaveem Ismail
 
PPTX
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...
byCODE BLUE
 
PDF
Policy Guide for Legislators
byKristin Judge
 
PDF
2018 State of Cyber Resilience for Insurance
byAccenture Insurance
 
PDF
A1 - Cibersegurança - Raising the Bar for Cybersecurity
bySpark Security
 
PPTX
IT & Network Security Awareness
byThe Network Support Company
 
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
byJay Kesan
 
Cover and CyberSecurity Essay
byMichael Solomon
 
Cloud security law cyber insurance issues phx 2015 06 19 v1
byMichael C. Keeling, Esq.
 
6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...
byCNseg
 
Cyber Insurance as Digital Strategy
byRandeep Sudan
 
Ransomware Bootcamp with CTEK and GroupSense
bySophiaPalmira1
 
CynergisTek’s Ransomware Bootcamp
bySophia Price
 
Curious case of cyber insurance
byHimanshu Pareek
 
Global Cyber Market Overview June 2017
byGraeme Cross
 
Clinton- Cyber IRT Balto 10_2012
byDon Grauel
 
What Building Owners Need to Know About Cyber Security Insurance!
byMemoori
 
Accounting for Cyber Risks - How much does Cyber actually cost the Industry?
byJef Lacson
 
Digital economy and its effect on cyber risk
byaakash malhotra
 
Cyber Insurance Mathematical Model & Pricing
byBaraDaniel1
 
Lynch2015 - History Likely Not Enough to Price Ever-Shifting Cyberrisk
byRaveem Ismail
 
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...
byCODE BLUE
 
Policy Guide for Legislators
byKristin Judge
 
2018 State of Cyber Resilience for Insurance
byAccenture Insurance
 
A1 - Cibersegurança - Raising the Bar for Cybersecurity
bySpark Security
 
IT & Network Security Awareness
byThe Network Support Company
 

More from Ethan S. Burger

PPTX
Can We Avert A Cyber-Insurance Market Crisis?
byEthan S. Burger
 
PPT
2018 april - aba legal construct for understanding adversarial cyber activit...
byEthan S. Burger
 
PPT
2018 february - gulc symposium -- roc
byEthan S. Burger
 
PPTX
2016 December -- Lithuanian Hybrid War Presentation
byEthan S. Burger
 
PPT
2016 December -- US, NATO, & The Baltics -- International Security and Cyber[...
byEthan S. Burger
 
PPT
2016 October 4 -- EHU US Presidential Election
byEthan S. Burger
 
PPTX
2011 -- AUSTRAC Presentation on Russian OCGs
byEthan S. Burger
 
PPT
2016 -- Ukrainian Presentation -- Final
byEthan S. Burger
 
PDF
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
byEthan S. Burger
 
Can We Avert A Cyber-Insurance Market Crisis?
byEthan S. Burger
 
2018 april - aba legal construct for understanding adversarial cyber activit...
byEthan S. Burger
 
2018 february - gulc symposium -- roc
byEthan S. Burger
 
2016 December -- Lithuanian Hybrid War Presentation
byEthan S. Burger
 
2016 December -- US, NATO, & The Baltics -- International Security and Cyber[...
byEthan S. Burger
 
2016 October 4 -- EHU US Presidential Election
byEthan S. Burger
 
2011 -- AUSTRAC Presentation on Russian OCGs
byEthan S. Burger
 
2016 -- Ukrainian Presentation -- Final
byEthan S. Burger
 
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
byEthan S. Burger
 

Recently uploaded

PDF
Legal Strategies for Startup Success MA final.pdf
byRoger Royse
 
PDF
McDowell Law Firm: The Services We Offer
byJosh Mcdowell
 
PPTX
The Role of a Criminal Defense Lawyer in San Diego’s Justice System.pptx
byKG LAW SD, APC
 
PPT
Chapter 2. Ethics and Business Ethics.ppt
byGetachewGobenaAmesge
 
PDF
AHRP LB - Limited Liability Company Administration Under the New Minister of ...
byAHRP Law Firm
 
PDF
display_pdf.php_.pdf Guahati High Cort Doyjan
bysabranghindi
 
PPTX
BJS Preparation Series-Sentencing Powers Under CrPC,1898.pptx
by Judge Nazmul Hasan.
 
PDF
TISS-Student.pdf Students warned Judges Court
bysabranghindi
 
PDF
Danielle Oliveira New Jersey - A Central Figure In New Jersey Criminal Justice
byDanielle Oliveira New Jersey
 
PDF
“Trusted Cyber-Offence Legal Services – Sharma & Company”
byjavedumarjaved83
 
PPTX
Documents Required for Trademark Registration in India
bylegalxcode
 
PDF
DR. OLIVER MASSMANN - DOING BUSINESS AND INVESTING IN VIETNAM
byDr. Oliver Massmann
 
PDF
Lessons from Korea’s Platform Competition Regulation Saga
bySangyun Lee
 
PDF
Professional Journey and Achievement - Adv. Olengurumwa
byOnesmo Olengurumwa
 
PDF
AHP-Data-dec-20-29-1.pdf AHP Pravin Togaria
bysabranghindi
 
PPTX
GROUP 1 - ELECTRONIC COMMERCE ACT OF 2000.pptx
bydadaygonza
 
PPTX
Documentary Requirements for Copyright Registration in India
bylegalxcode
 
PDF
DMCC Supplier Code of Conduct Policy 2026
byDubai Multi Commodity Centre
 
PPTX
BJS Preparation Series-CrPC-Lecture-2 Part 02 - Legal Distinctions.pptx
by Judge Nazmul Hasan.
 
PDF
Apply for an Australian Visa for Skilled Work.pdf
byBridgeWest.eu
 
Legal Strategies for Startup Success MA final.pdf
byRoger Royse
 
McDowell Law Firm: The Services We Offer
byJosh Mcdowell
 
The Role of a Criminal Defense Lawyer in San Diego’s Justice System.pptx
byKG LAW SD, APC
 
Chapter 2. Ethics and Business Ethics.ppt
byGetachewGobenaAmesge
 
AHRP LB - Limited Liability Company Administration Under the New Minister of ...
byAHRP Law Firm
 
display_pdf.php_.pdf Guahati High Cort Doyjan
bysabranghindi
 
BJS Preparation Series-Sentencing Powers Under CrPC,1898.pptx
by Judge Nazmul Hasan.
 
TISS-Student.pdf Students warned Judges Court
bysabranghindi
 
Danielle Oliveira New Jersey - A Central Figure In New Jersey Criminal Justice
byDanielle Oliveira New Jersey
 
“Trusted Cyber-Offence Legal Services – Sharma & Company”
byjavedumarjaved83
 
Documents Required for Trademark Registration in India
bylegalxcode
 
DR. OLIVER MASSMANN - DOING BUSINESS AND INVESTING IN VIETNAM
byDr. Oliver Massmann
 
Lessons from Korea’s Platform Competition Regulation Saga
bySangyun Lee
 
Professional Journey and Achievement - Adv. Olengurumwa
byOnesmo Olengurumwa
 
AHP-Data-dec-20-29-1.pdf AHP Pravin Togaria
bysabranghindi
 
GROUP 1 - ELECTRONIC COMMERCE ACT OF 2000.pptx
bydadaygonza
 
Documentary Requirements for Copyright Registration in India
bylegalxcode
 
DMCC Supplier Code of Conduct Policy 2026
byDubai Multi Commodity Centre
 
BJS Preparation Series-CrPC-Lecture-2 Part 02 - Legal Distinctions.pptx
by Judge Nazmul Hasan.
 
Apply for an Australian Visa for Skilled Work.pdf
byBridgeWest.eu
 

Ci2 cyber insurance presentation

  • 1.
    5/19/2018 Institute ofWorld Politics © Proprietary 2017 Santa Clara University May 3, 2018 Cyber Intelligence initiative (Ci2) Ethan S. Burger Institute of World Politics, Washington, D.C.
  • 2.
    Institute of WorldPolitics © Proprietary 2017 Can We Avert A Cyber-Insurance Market Crisis? May 3, 2018
  • 3.
    Institute of WorldPolitics © Proprietary 2017 . . . . PROBABLY NOT  The “immature” cyber insurance market fails to supply products that a majority of private organizations deem to be worth buying. This situation is unlikely to change in the foreseeable future.  Even those organizations that procure cyber-insurance are likely to ‘discover’ that their policies provide insufficient (e.g., face-values are too low) or inadequate cover (e.g., too many exclusions and reasons for denying claims), forcing these ‘insureds’ to absorb the costs of cyber-attacks on their own.  Many cyber insurance providers and their reinsurers seem to lack sufficient financial assets to cover multiple extreme cyber events, the consequences of which will be felt throughout the insurance industry and the national economy. .˙. As a result, extreme harm from cyber-attack campaigns against the national infrastructure and particular sectors (e.g., financial, energy), locales (e.g., city clusters), relationships (e.g., users of one cloud provider) will have a cascading effect likely to damage supply chains and consumer confidence, ultimately the magnitude of harm will create crises triggering governmental intervention.
  • 4.
    Institute of WorldPolitics © Proprietary 2017 Although Officially Agnostic, the Department of Homeland Seems To Promote Cyber-Insurance Cybersecurity insurance is designed to mitigate losses from a variety of cyber incidents, including data breaches, business interruption, and network damage. A robust cyber-insurance market could reduce the number of successful cyber attacks by: (i) promoting the adoption of preventative measures (good cyberhygiene in return for more coverage; and (ii) encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection.
  • 5.
    Institute of WorldPolitics © Proprietary 2017 Can Organizations Achieve Meaningful Cybersecurity’? What metrics to use? Individual organizations? Systemic approach? Cyber Maginot Line?
  • 6.
    Institute of WorldPolitics © Proprietary 2017 Threat Maps Highlight the Constancy of Cyber Attacks http://map.norsecorp.com/# https://cybermap.kaspersky.com https://community.blueliv.com/map http://en.blitzortung.org/live_lightning_maps.php https://www.fireeye.com/cuber-map.html http://www.csoonline.com/article/2366962/microsoft-subnet/spellbound-by- maps-tracking-hack-attacks-and-cyber-threats-in-real-time.html
  • 7.
    Institute of WorldPolitics © Proprietary 2017 One Cannot Control Collateral Damage (Systemic Risk) Due to Cyber Attacks The Government seeks to protect '.gov' and '.mil' addresses, not 'com.’ (i.e. the rest of us). Former FBI Special Agent Clint Watts paraphrasing former National Security Advisor Tom Bossert; note that White House Cybersecurity Coordinator Robert Joyce also “stepped down last month. What are the implications for proponents of the Active Cyber Defense Certainty Act?
  • 8.
    Institute of WorldPolitics © Proprietary 2017 Blackhat USA 2017 Survey: Portrait of an Imminent Cyberthreat  60% of respondents believe that a successful cyber attack on US critical infrastructure will occur in the next 24 months.  69% are very concerned about state-sponsored hacking from countries such as China, Iran, North Korea, and Russia.  31% think it is likely that their organization will have to respond to a major security breach in the next 12 months.  59% fear they don’t have enough staff to meet the threat.  58% believe they don’t have adequate budgets. N = 580 Information Security Professionals
  • 9.
    Institute of WorldPolitics © Proprietary 2017 Are Cybersecurity Efforts Ultimately Futile? Exhibit 1: Not Necessarily: Consider the [Not]Petya Wiper Attack: “ “Cyberattack Hits Ukraine Then Spreads Internationally,” New York Times, June 27, 2017.
  • 10.
    Institute of WorldPolitics © Proprietary 2017 The Recent Wanna Cry & [Not]Petya Cyber-Attacks  These viruses were propagated without human intervention, but they are not regarded as very sophisticated. Estimated to have caused harm in the low billions of dollars, almost all of which will not be covered by insurance.  Whereas Wanna Cry ransomware was designed for financial gain, NotPetya seems to have been politically driven (attributed by UK and US to Russia( – seeking to maximize harm. Initial attacks against Ukrainian state bodies, it spread to DLA Piper (a U.S. firm), FedEx (U.S. delivery service company), MAERSK (Danish-based shipping company), Merck (U.S, pharmaceutical company), Rosneft (Russian oil company), and many others.  Good cyber-hygiene practices could have prevented infection. Only a minority of the victims carried stand-alone cyber insurance. But the common exclusions for failing to install patches, nation-state attackers, or otherwise failing to follow good cybersecurity practices are likely to prevent recoveries from insurers.
  • 11.
    Institute of WorldPolitics © Proprietary 2017 I People Will Always be Susceptible to Social Engineering The Insider Threat Cannot be Controlled Through Vetting & Monitoring “Hacks Raise Fear Over N.S.A.’s Hold on Cyberweapons,” New York Times, June 27, 2017.
  • 12.
    Institute of WorldPolitics © Proprietary 2017 I Social Engineering Will Defeat the Best Cybersecurity Systems http://www.cnn.com/2017/07/31/politics/white-house-officials-tricked-by-email-prankster/index.html
  • 13.
    Institute of WorldPolitics © Proprietary 2017 Full Disclosure: My Views Have Been Strongly Influenced by: Lloyd’s/Cyence, Counting the cost: Cyber exposure decoded,” Emerging Risks Report 2017 Technology, July 2017 (the Lloyd’s Study); Martin Ering & Jan Hendrick Wirfs, Cyber Insurance: Too Big to Insure, Institute of Insurance Economics, University St. Gallen, 2016, (the ‘IIE Study’); and Sasha Romanosky, et al., Content Analysis of Cyber Insurance Policies: How do carriers write policies and price cyber risk, Rand White Paper (Draft), 2017 (the ‘Rand Study’).
  • 14.
    Institute of WorldPolitics © Proprietary 2017 Lloyd’s Study on Insurance Industry’s Cyber Risk  Lloyd’s of London issued a study suggesting that a global cyber-attack could cause harm greater than $53 billion (on average), and possibly as high as $121 billion.  The larger of these sums exceeds the damage caused by any natural disaster in the U.S. since 1980 – excluding Harvey ($125 Billion), Katrina ($105 billion), Maria ($90 Billion), California Fires, and Sandy ($70 billion).  According to Munich Re, in 2017, total insured losses from natural disasters $135 Billion with total losses of $330 Billion (the highest ever was $354 Billion in 2011).
  • 15.
    Institute of WorldPolitics © Proprietary 2017 IIE Study’s Key Findings ‘Cyber risks of daily life’ are usually insurable (e.g. data privacy risks). Nonetheless, organizations generally under-insure in cybersecurity. ‘Questionnaire only’ applications are unlikely to result in suitable cyber-insurance policies. Both organizations and the public benefit if the organizations go through the underwriting process. Completing an insurance application is an educational exercise, forcing one to think about cybersecurity, develop written cybersecurity policies, practices, and procedures), discuss cyber issues, inventory assets, preparing plans, etc. Sometimes insureds are afraid of the consequences of making an insurance claim. ‘Extreme Scenarios’ (e.g., a breakdown of the critical infrastructure) are difficult to insure, given the lack of good actuarial data, cumulative risk, and other problems of insurability. These scenarios are extremely likely to materialize in the next ten years. Hence, a two-tier approach might be appropriate: (i) improve insurability for ‘cyber risks of daily life’’ and engage in industry-wide cooperation; and (ii) address ‘extreme scenarios’ to the extent possible (e.g. look towards government programs and sector initiatives).
  • 16.
    Institute of WorldPolitics © Proprietary 2017 CYBER INSURANCE MARKET WATCH SURVEY (May 2017) Market Trends 32% of respondents’ clients purchased at least some form of cyber coverage. 27% of respondents’ clients purchased cyber insurance for the first time in the past six months. 44% of respondents’ clients increased their coverage in the past six months. 76% of those with cyber insurance have standalone policies. Pricing Trends $6 MILLION IS THE TYPICAL INSURANCE POLICY LIMIT, BUT POLICIES FOR $300-500 MILLION ARE AVAILABLE. ! ! ! 31% of respondents said premium prices generally decreased over the last six months (SURPRISING Outcome). Underwriting 42% of respondents have seen some tightening of carrier underwriting practices in the last six months. 75% of respondents believe there is adequate clarity as to what is included and excluded under a cyber policy (SURPRISING VIEW ! ! !). 98% of respondents noted that capacity in the market is either plentiful or increasing. Cybersecurity/Cyber Risk 72% of respondents have a strategic approach to marketing and educating clients about cyber risks. 31% of respondents’ clients have an information security program in place, focused on prevention, detection, containment, and response.
  • 17.
    Institute of WorldPolitics © Proprietary 2017 Principal Properties of Cyber Risks  Cyber-losses results in both short-tail and long-tail losses.  There are 1st and 3rd Party (i.e., property and liability) losses.  4Pas  Cyber losses are not independent events (correlations between cyber risk).  Cyber insurance market has a small number of providers (≈ 60) and as a percentage of portfolio value .  Human beings are the weakest link (victims of social engineering & negligence)  Uncertainty about data (modeling approaches untested actuarial standards).  Risk of change (historical data is not necessarily a good indicator of the future).  Extreme events are difficult to estimate (low frequency, high severity occurrence).  Insurance coverage limited (high deductibles are common).
  • 18.
    Institute of WorldPolitics © Proprietary 2017 Cyber-Insurance Market Place Reality Report for 2018 (Willis Towers Watson, December 2017) 1. “Total annual premiums collected will climb as more companies seek coverage.” 2. It is not clear that “capacity will keep up with rising demand, helping keep rates in check” in light of NY Cybersecurity Requirements for Financial Services Companies & EU General Data Protection Regulations (GDPA) – both will serve as models. 3. “Carriers will scrutinize risks, rewarding those with the most robust cybersecurity programs” allowing them to be more particular about whom them will insure. 4. “Demand for coverage will shift” to Europe and East Asia. 5. Coverage will expand as carriers address gaps in property, general liability and special crime coverage as cyber policies themselves (ransomware, social engineering, terrorism).
  • 19.
    Institute of WorldPolitics © Proprietary 2017 1ST PARTY INSURANCE COVERAGE  Loss or Damage to Electronic Data -- cover losses caused by damage, theft, disruption or corruption of data due to covered peril (e.g., hack, virus, or denial of service, but seldom employee error including social engineering such as costs to restore, recover. and reconstruct data).  Loss of Income and/or Extra Expenses -- covers income lost and extra expenses incurred to avoid or minimize a shutdown of business due to a covered peril.  Loss of Property -- covers physical damage to buildings, fixtures, land (e.g., clean-up), or personal property loss.  Cyber Extortion Losses – covers expenses incurred (with the insurers’ consent) due to extortion demand, (e.g., ransomware).  Notification Costs – covers costs of notifying parties mandated by government statutes or regulations (breaches and identity theft), as well as for legal counsel, credit protection services, and call centers).  Other Insurance – damage to reputation (marketing and public relations); crime (various); Fidelity Bonds, terrorism (Terrorism Risk Insurance Act (TRIA)). 3RD PARTY INSURANCE COVERAGE  Network Security Liability -- covers harm due to data breaches or to the inability of others to access data on insureds’ computer systems. There is also cover where the insured’s personnel or IT systems (e.g. as a result of botnets causing harm to another).  Network Privacy Liability -- covers harm based on allegations that insureds failed to properly protect sensitive data stored on their computer systems. The data may belong to customers, clients, employees, and other parties (is “privity” a problem?).  Electronic Media Liability -- covers harm for acts like libel, slander, defamation, copyright infringement, invasion of privacy or domain name infringement (is “publication” an issue?).  Costs Connected to Regulatory Proceedings -- covers damages, defense costs, fines, etc.
  • 20.
    Institute of WorldPolitics © Proprietary 2017 Some Common Cyber-Insurance Policy Exclusions  Data taken from paper and similar records.  Employee privacy claims for released data.  Fraud, intentional, and illegal misconduct committed by insured.  Lack of cyber-hygiene (failure to encrypt data or install software updates and security patches).  Mechanical/electronic failure and other acts of God.  Mobile electronic devices (computers, cell phones, etc.).  Nation-states, organized criminal groups, and terrorists (and persons acting on their behalf). Attribution issues will arise, but how is the final coverage decision reached? It will be a costly, inexact process.  Patent, software, copyright infringement.  Prior notice (knowledge, suspicions).  Secondary liability for personal injury & property damage.  Vicarious liability for data breaches by third-party vendors.
  • 21.
    Institute of WorldPolitics © Proprietary 2017 Why is the Cyber-Insurance Market Not ‘Mature’?  Insufficient actuarial data to support meaningful underwriting (unlike automobile, home-owner, and maritime insurance). Lack of trust between insurance companies and potential insureds. Are the applications complete and candid? If they are not, insureds will have difficulty collected on claims.  Insurance companies are eager to write cyber-insurance policies to cash in on a new market, albeit with an insufficient understanding of their potential financial exposure due to cumulative risk. As a consequence, there are incentives for insurance companies to find reasons for denying coverage.  Cyber-insurance policies lack standard (and tested) language. Cyber-insurance is not a commodity since it is crafted for the insureds, whose profiles vary considerably. Litigation outcomes are unpredictable.  Key development: Allianz will provide discounted cyber security insurance coverage to customers that use certain Apple devices and Cisco security products. Aon will perform security consulting.
  • 22.
    Institute of WorldPolitics © Proprietary 2017 Disquieting Questions About Cyber-Insurance  If the global value of cyber-insurance premiums written is estimated at $3.5bn, but the global cost of cyber-crime exceeds $450bn annually (see Aon chief warns that insurance industry is losing its relevance, FT, 4/25/2018) can the ‘cyber-insurance market’ be viable?  When the cyber-insurance policy is in force, how can insurers be confident that the insureds’ cybersecurity ‘baseline’ are being observed?  Rather than a cyber 9/11 or Pearl Harbor, is the interconnected of the economy and the Internet of Things likely to cause a collapse in consumer and business confidence.
  • 23.
    Institute of WorldPolitics © Proprietary 2017 What’s a Government to Do? Federal Government (alone or with National Association Insurance Commissioners) can: 1. Promote through incentives the use of standardized insurance policy provisions and language to promote underwriting standards to strengthen the cyber-insurance market; 2. Create cyber-insurance policy pools; and 3. Establish either federal flood or terrorism-like programs (but Flood Insurance Program is insolvent). Two Obstacles: 1. Lack of political consensus of relevant roles and responsibilities of government (note Flood Insurance Program has a huge deficit). 2. Given problems with the Affordable Care Act, is it realistic to expect the government to take on role of national cyber hygienist?
  • 24.
    Institute of WorldPolitics © Proprietary 2017 QUESTIONS CONTACT OUR SPEAKER ETHAN S BURGER AT ethansb@post.harvard.edu