Cyber Versicherung
Philippe Aerni
Head FinPro, Swiss Re Corporate Solutions
Willy D. Stoessel
Head Cyber, Technology & Construction, Swiss Re Corporate Solutions
Überall dort, wo ein Internetanschluss vorhanden ist, gibt es auch ein Risiko. Unabhängig davon, ob sie gross oder klein, öffentlich oder privat ist – fast jede Organisation ist der Gefahr möglicher Schäden durch eine Cyberattacke ausgesetzt. Die meisten von uns werden denken: «Aber die Wahrscheinlichkeit ist doch recht gering.» Tatsächlich ist die Gefahr jedoch sehr real. Umfang und Raffinesse schädlicher Cyberaktivitäten haben erheblich zugenommen, und die Kosten einer Cyberattacke können eine Grössenordnung von Milliarden von US-Dollars erreichen. Wenn das Cyberrisiko nicht aktiv von allen Beteiligten (Unternehmen, Versicherungsträgern, Regierungen und Aufsichtsbehörden) angepackt wird, werden die finanziellen Auswirkungen auf Organisationen weiterhin signifikant sein.
Wir werden eine Einführung in die Versicherungslösungen geben, die derzeit zur Deckung von Risikoexponierungen, die mit dem Cyberspace zusammenhängen, angeboten werden. Wir werden die Herausforderungen skizzieren, mit denen die Versicherungswirtschaft heute angesichts der sich ständig wandelnden Cyberrisikoumgebung konfrontiert wird. Wir werden einige auch in den Medien aufgegriffene Fälle und die Auswirkungen präsentieren, die sie auf eine Versicherungspolice haben. Wir wollen einen Überblick über die derzeitige Zusammenarbeit zwischen IBM und Swiss Re Corporate Solutions geben und die Frage beantworten, wie wir die Zukunft der Cyberversicherung gestalten wollen.
1. Presentation at IS Directors Conference | Interlaken - 18 September 2015 1
Cyber Insurance
a time journey, the past, the
present and a glimpse at the
future
Presentation IS Directors Forum 2015 –
Interlaken
by Philippe Aerni & Willy Stössel
2. Presentation at IS Directors Conference | Interlaken - 18 September 2015 2
Table of Contents
Introduction
Coverage and Services provided
Loss Examples and Scenarios
Underwriting Criteria for Risk Selection
Outlook
3. Presentation at IS Directors Conference | Interlaken - 18 September 2015
• Swiss Re Corporate Solutions has been underwriting Technology E&O (TMT
– Technology, Media & Telecom) since 2001
• Cyber liability extensions and all 1st party extensions have been added over
the years to all Technology E&O policies in the US market
• Swiss Re Corporate Solutions has dedicated Underwriters for this line of
business in
– New York
– London
– Zurich
– Paris
• Swiss Re Corporate Solutions Risk Engineering and Group Risk
Management & Information Security support Underwriters for the risk
assessment
Swiss Re Corporate Solutions Approach
Underwriting Technology E&O and Cyber Insurance
3
4. Presentation at IS Directors Conference | Interlaken - 18 September 2015
(Source: copyright protection may apply, source unknown)
Cyber Risks
Nightmare or Opportunity?
4
5. Presentation at IS Directors Conference | Interlaken - 18 September 2015 5
Coverage and Services provided
6. Presentation at IS Directors Conference | Interlaken - 18 September 2015
5 facts about the Cyber insurance market
6
USD 1.5-2b2014 worldwide estimated premium
2013: ~ USD 1.2b
2012: ~ USD 800m
Competitive
ratesas carriers try to defend
or gain market share
Full limitsavailable for coverages sub-limited before
Healthcareis the fastest growing Cyber
insurance buying segment
North Americahas the highest demand for Cyber insurance globally
Europe: low-mid demand will be driven by regulation
7. Presentation at IS Directors Conference | Interlaken - 18 September 2015
The Cyber Risk Landscape
7
8. Presentation at IS Directors Conference | Interlaken - 18 September 2015
Insurance Cover Landscape
Traditional Policies vs specific Cyber Policies
Tech, Media &Telecom
(E&O)
CyberGL
PD/BI &
Crime
Libel
Slander
Defamation
* excluded from standard product
8
PD / BI
Requires
"direct physical
loss” -> not
satisfied
Crime: requires
intent and only
covers money,
securities, and
tangible
property
IP
Infringement
Copyright
Trademark
Patent *
Errors &
Omissions
Tech Services
Tech Products
Unintentional
Disclosure
Unintentional
Breach of
Privacy Policy
Breach of
Confidentiality
Investigation
costs
Notification
costs
Fines/Penalties
Business
Interruption
Extortion
moneys
Privacy First PartyMitigation
Advertisement
Personal
Injury
Property/
Crime
Existing Policy Landscape New Policy Landscape
9. Presentation at IS Directors Conference | Interlaken - 18 September 2015 9
Cyber insurance
First Party / ISBI*
Unauthorized access
Hacking
Virus
Denial of Service
CommentProduct The current market offering includes First Party/ISBI, extortion and privacy coverage
Extortion
Investigation costs
Extortion of monies due to
credible threat e.g., introduction
of malicious code
Privacy
Unintentional disclosure
Breach of confidentiality
Business Interruption or
loss of data due to a general
malicious attack (e.g., generic
virus: love bug virus)
Contingent Business
Interruption due to lack of
internet connectivity caused
by IT failure at providers'
location
Costs for reinstatement of
data
Investigation costs to
determine cause of security
failure
Covers the monies paid by
the insured as a result of a
credible threat/series of
related threats directed at
the Insured
e.g., to corrupt, damage or
destroy the Insured's
computer system, or to restrict
or hinder access to the
Insured's computer system
e.g., to release, divulge,
disseminate, destroy or use
confidential information
stored in the Insured's
computer system
Liability: the defence and
settlement costs for the
liability of the insured arising
out of its failure to adequately
protect its private data
Remediation: the response
costs following a data breach,
including investigation, public
relations, customer
notification and credit
monitoring
Fines and/or penalties: the
costs to defend, settle fines
and penalties that may be
assessed by the regulator
Current market offering
*Stand-alone property/extensions to property
10. Presentation at IS Directors Conference | Interlaken - 18 September 2015 10
1
Bodily injury/ Property damage
Current cover extends to economic loss only following a cyber event
Clear differentiation to existing PD/BI products (Property/Casualty)
New: AIG offers this coverage as a DIC/DIL coverage sitting excess of scheduled
policies
2 Patent Infringement plus theft of trade secrets
Undesired and hard to insure/quantify coverage
3 Fines & Penalties
Other than Data Protection fines following a breach
4
War, invasion, act of foreign enemy, hostilities or war-like operations
(whether declared or not), civil war, mutiny, civil commotion
Coverage is provided for act of cyber terrorism
5 Any seizure, confiscation, nationalization or destruction of a Computer
System or electronic data by order of any governmental or public authority
6 Force Majeure
Earthquake, volcanic eruption, tidal waves etc
Overview of major market exclusions
11. Presentation at IS Directors Conference | Interlaken - 18 September 2015
• Traditional insurance policies provide limited coverage only for cyber
attacks:
Gaps in existing traditional policies
11
12. Presentation at IS Directors Conference | Interlaken - 18 September 2015 12
Breach
notification /
consultation
Forensics
Breach
consultation
Notification
design
Public
relations
First point of contact
will be Swiss Re and
our external "Data
Breach Counsel." This
will be coordinated
through NetDiligence
platform
Five hour initial
consultation from
Data Breach counsel
Facts gathered will
allow Swiss Re assess
if true breach has
occurred
Without first point of
contact materials may
be discoverable
Retention of
Forensic
services:
To contain the
breach
To understand
the scope and
breadth of
breach
Review of forensic
materials
When and where
are breach
notifications
required?
What is the
potential for
regulatory fines or
penalties?
What is the
potential for legal
action?
What are the next
steps?
Craft letter to
Attorneys General
and other state
and federal
agencies
Craft letters to be
sent to affected
parties
Craft speech and
flow chart for call
centers and
potential credit
monitoring
companies
Engage public
relations and crisis
management
experts to work
with Swiss Re
Claims and Data
Breach Counsel
during course of
breach
Post-breach services to be delivered by a Primary
Insurance Carrier
Cyber breach response – process overview and key considerations
13. Presentation at IS Directors Conference | Interlaken - 18 September 2015
Potential Risk Event Likelihood Potential impact
Website/copyright /trademark infringement
claims
Low Low
Legal Liability to other for computer security
breaches
Low – Medium Medium
Legal Liability to others for privacy breaches Low – Medium Medium
Privacy breach notification costs & credit
monitoring
Low – Medium Medium
Privacy regulatory action defense and fines Low Medium
Costs to repair damage to your information
assets
Low Medium
Loss of revenue due to a failure of security at a
dependent technology provider
Low Medium
Cyber Extortion threat Low Medium
Loss of revenue resulting from non-physical
business interruption
Low – Medium High
Risk identification – Europe
13
14. Presentation at IS Directors Conference | Interlaken - 18 September 2015 14
Loss Examples
Examples of large losses US and not only in the US
Security Breaches / Data Breaches – type of losses
15. Presentation at IS Directors Conference | Interlaken - 18 September 2015 15
Centcom Twitter Youtube
Breach
Anthem BC/BS
Nr 2 Healthcare insurer in the US
50 million PII records breached
Excess of 80 m records stolen
Notification costs will hit the
existing cyber tower: USD 100m -
for at least USD 120m
[Jan 2015]
Recent examples of data-loss incidents
Twitter & YouTube accounts hacked
and pro-ISIS content uploaded
[Jan 2015]
Morgan Stanley
Insider attack compromising 3.5m customer
accounts
[Dec 2014]
Sony PSN/Microsoft Xbox Live
Network
DOS attack by hacker group (Lizard
squad) shut down service around
Xmas holidays
[Dec 2014]
Sony has booked USD 171m in data breach direct costs to date*
Target has incurred USD 178m in breach related expenses as of Nov 2014**
Heartland payment systems paid USD 150m in fines and legal costs from
breach and suffered damage to its reputation as a payment processor ***
* PropertyCasualty360 ** New York Times *** The Wall Street Journal
16. Presentation at IS Directors Conference | Interlaken - 18 September 2015
Korea's financial regulators are coming down hard on three credit card companies whose customer data was stolen in the largest personal information
leak in the country's history. The Financial Services Commission and the Financial Supervisory Service will suspend the business operations of KB
Kookmin Card, NH Nonghyup Card and Lotte Card for three months starting February 17th 2014. Under the terms of the suspension, the companies will be banned from
taking on new customers, issuing card loans or processing cash advances. Existing customers, however, will not be affected as the suspension does not ban the firms from
providing financial services to them. .. Last month's leak, which affected at least 20 million people, sparked concerns the data could
have ended up in the hands of scammers. The estimated compensation for mental damage caused to customers is expected to reach nearly $160 Mio. As
another part of the punishment, the CEOs of the three firms are to face punishment depending on their accountability. source:
…...Connie Kim, Arirang News.
DigiNotar (September 2011), was a Dutch certificate authority, after it had become clear that a
security breach had resulted in the fraudulent issuing of certificates, the Dutch government took
over operational management of DigiNotar's systems. The company was declared bankrupt.
Cyberattacks on critical infrastructure are a reality and they're becoming more frequent. An IT
security report for 2014 published by Germany's Federal Office for Information Security (BSI) …
incident that caused physical damage to a facility. …An attack launched by an advanced persistent
threat (APT) group against an unnamed steel plant in Germany resulted in significant damage,
according a new report.
Areva – Theft of IP, alleged state sponsored attack
Orange France: hacked twice in 2014, release of 1 mil plus customer data.
Security Breaches / Data Breach
Not only US losses (source: various articles)
16
17. Presentation at IS Directors Conference | Interlaken - 18 September 2015 17
Underwriting Criteria for Risk
Selection
18. Presentation at IS Directors Conference | Interlaken - 18 September 2015 18
Are you ready to respond to breaches?
Are breach response
procedures set up?
Are roles and
responsibilities assigned?
Are monitoring and
detection measures in
place?
Are immediate measures
instituted to protect data?
Are investigation
resources available to
analyse breaches?
Are response and
notification measures
established?
Are communication
processes established?
19. Presentation at IS Directors Conference | Interlaken - 18 September 2015
Swiss Re Corso: IBM and Swiss Re teaming up to
offer cyber risk protection services for commercial
customers
19
Swiss Re’s Business Challenge
• Entering new market – wanted to partner with experienced cyber security experts
• Focus enterprises, across the globe for four types of exposures: computer viruses, hacking, Distributed Denial of
Service or malware
Joint Approach
• Comprehensive support
provided by a trusted
partner: from training and
cyber education through
security risk assessments
and vulnerability scans to
cyber claims assistance
Swiss Re`s Benefits
• Immediate access to world class
expertise and experience of the global
security leader – attractive value
proposition to prospective customers
• Integration of cyber assessments
and claims handling into overall
Swiss Re`s business processes
– leverage of best practices
Swiss Re
IBM Applicant
20. Presentation at IS Directors Conference | Interlaken - 18 September 2015
IBM Cyber Security - Global reach and capabilities
with local presence
20
21. Presentation at IS Directors Conference | Interlaken - 18 September 2015 21
Outlook
22. Presentation at IS Directors Conference | Interlaken - 18 September 2015
Driving Factors for Cyber Insurance
A Constantly Changing World
22
New
Technology
Legal
Environment
Accumulation
issues
Supply Chain
M&A
Growth
Plans
Complexity
Cloud
Computing
"underestimated"
small exposure
Connectivity
Known
VulnerabilitiesAwareness &
Litigation
approach
Business
Strategy
Hacker
Focus
Company X
Standardization
23. Presentation at IS Directors Conference | Interlaken - 18 September 2015
• North America
– Canada
– Mexico
– United States (different
legislation applies for certain
industries and notification
required in > 46 states)
• Central & South America
– Argentina
– Brazil (Pending)
– Chile
– Colombia
– Costa Rica
– Ecuador (Pending)
– Paraguay
– Peru
– Uruguay
• Middle East
– Israel
– UAE (DIFC)
Countries with Privacy/Data Protection Laws
Africa
– South Africa
– Tunisia
Asia-Pacific
– Australia
– China (draft privacy
guidelines)
– Hong Kong
– India (privacy rules explained)
– Japan
– Malaysia
– New Zealand
– Philippines
– Singapore
– South Korea
– Taiwan
– Thailand
– Vietnam
Europe
– 27 EU Member States +
– Norway
– Russia
– Serbia
– Switzerland
– Turkey (Pending)
– Ukraine
EU Data Protection reform –
(Regulation):
revised version going to parliament
after 21.10.2013 committee review,
fines of up to EUR 100 Mio or 5% of
annual worldwide turnover,
whichever is greater
Update: Discussions also impacted
by TTIP, heavily delayed
There are 105 countries with existing or pending privacy or data protection legislation
24. Presentation at IS Directors Conference | Interlaken - 18 September 2015 24