Cyber Risks – Perception on Potential Losses

Cyber Risks – Perception on Potential
Losses
Alessandro Lezzi – Head of TMB International
Rio de Janerio
9th April 2014
Agenda
• ‘Cyber’ – an overview
o The ‘Cyber’ market
o Market dynamics: USA vs International
• What’s at risk? What is ‘Cyber’ risk and why is it a threat?
• ‘Cyber’ incidents, data breaches potential and real losses
• What is the role of insurance/reinsurance market: what can be covered
• Q&A
2
‘Cyber’ – an overview
3
Why are people excited about cyber?
• Rapid growth in the amount of
data held and used by businesses
• The US has set a precedent –
Laws and regulations developing fast
• Businesses’ reputations are at stake
• The market is huge
4
A fast growing market…
• Estimates of the value of the standalone cyber market in the US around $1
Billion
• We have seen demand surge by 270% in the last 3 years
• Estimate $ 5 Billion market in 2020 ($2 Billion ROW)
Standalone Cyber Insurance: Premium Growth
$70.000.000
2.500
$60.000.000
2.000
$50.000.000
$40.000.000
1.500
$30.000.000
1.000
$20.000.000
500
$10.000.000
$0
Premium
Policy Count
2009
2010
2011
2012
22.000.000,00
37.687.090,00
51.064.566,00
59.546.529,00
207
712
1.366
1.972
-
5
Which industries are currently the main buyers ?
• Healthcare
• Retails
• Higher education
• FI and Banks
• Hospitality
• Law firms and profession
• Telecommunication
• Energy companies
6
Where is the international market?
US versus non-US: drivers of demand for data breach insurance
Strong impetus
to buy
Weak impetus
to buy
US
Non
US
Data proliferation
US
Non
US
Regulation
US
Non
US
Media coverage
We are nearing a tipping point …
7
Where is the international market?
Regulation
• Beginning to emerge
• Fines may not be insurable unlike the US (e.g EU fines up to 2% of revenue under the draft EU
regulation and FSA fines)
• PR and high profile events will speed this up
Public Relationship
• Breaches getting more press and reputational damage is growing after a breach. In some cases is
materially impacting share prices.
• Lesson learnt from the USA - organisations becoming more prepared
• Potential PR damage and breach management is already driving demand much earlier than in the
USA cycle.
8
What is Cyber and why is it a threat?
What is Cyber?
• Cyber Security
o Set of standards
 ISO 27002
 Mainly Integrity, Confidentiality, Availability
• Cyber Warfare
o Politically motivated hacking
o Information theft
o Cause Disruption
• Cyber Crime
o Make money
o Steal Data
10
What is Cyber in the insurance word?
Cyber risk = any risk of financial loss, disruption or damage to the reputation of an
organization from some sort of failure of its information technology systems
Such a risk could materialize in the following ways:
• deliberate and unauthorised breaches of security to gain access to information
systems for the purposes of espionage, extortion or embarrassment.
• unintentional or accidental breaches of security, which nevertheless may still
constitute an exposure that needs to be addressed
• operational IT risks due to poor systems integrity or other factors
11
The Cyber Threat
• 19.7m pieces of data traded illegally online during the first six moths of
2012
Experian
• Euro 27 Billion to Euro 400 Billion global cost of Cyber Crime per annum
Verizon
• Euro 2 Million average cost to an International organisations in 2013
Ponemon
Institute
12
What’s at Risk?
13
Where are the client’s exposures?
Network Security
Liability
Privacy Liability
• Data Breach (theft of data,
unauthorised access or use)
• Transmission of a malicious code
• Denial of service attack (DDoS)
• Privacy Policy (internal)
• Privacy Notice (external)
• Data collected
• Data shared with others
14
What data is at risk?
• Information on applications, forms or other correspondence – name, address,
NI/social security number, health plan information and income
• Information about transactions – credit cards, debit cards, account balances and
payment history
• Information received from consumer reporting agencies, credit references,
employers, insurance companies – credit history, credit worthiness
• Information on employees – health records, NI/social security numbers, address etc
• Network as a critical asset in ....supply chain, financing, infrastructure functions,
Internet etc
15
What data is at risk?
Security Risk in an outsourced world
Even if your clients are outsourcing they are the data owner (Controller).
How involved are Risk Management with 3rd party contractors (Processor)– do they
mirror the company’s processes, insurance?
16
Where do data breaches come from?
17
‘Cyber’ incidents, data breaches potential and
real losses
18
Impact to business: potential losses
• Loss of reputation/Customer trust
o Financially difficult to quantify
• Incident clean up
o May require expert assistance
• Third party claims
o From clients and individuals
• Regulatory penalties
o Legal requirements
• Direct revenue
o If business in online and website affected
19
Cost of a data breach
Cost per record:
$136
DIRECT COSTS
Notification
Call Center
Identity Monitoring (credit/non-credit)
Identity Restoration
Discovery / Data Forensics
Loss of Employee Productivity
INDIRECT COSTS
Additional Security and Audit Requirements
Lawsuits
Regulatory Fines
Loss of Consumer Confidence
Loss of Funding
$47.00
$89.00
© Ponemon Institute 2013
Real losses..
• 6 of top 10 insured breaches in world
• 340 breaches last year
• 1,000+ breaches handled since we started the class.
• Averaging 1 Per Day in 2013
• Average trend for 2014 is 2 to 3 a day..
• 80% of claims spend on service and managing breaches
21
Examples of losses – Retail Industry:
• Unauthorized intrusion at Insured’s POS system
• 100 Million customer credit card account information
compromised
• Insured stated “$61 million in expenses related to the
breach during the quarter, $44 million were offset by
an insurance payment and breach-related expenses may
include costs for reissuing cards, lawsuits,
government probes and enforcement proceedings,
legal expenses, investigative and consulting fees,
and capital investment”
• but… experts said “it was too early to estimate how big
the bill would be, but it would certainly be in the
hundreds of millions of dollars and could top $1 billion”
Examples of losses – Credit Card processor
• Large Credit card processor
• Network intrusion by external hacker: 1.5 million credit card record
compromised
• Incident discovered and made public by a blogger..
• “Cost around $ 95 Million breakdown of specific expenses :
o $60 million for professional fees and other costs associated with the
investigation and remediation, incentive payments to certain business
partners and costs associated with credit monitoring and identity protection
insurance;
o $35.9 million for the total of estimated fraud losses, fines and other
charges that will be imposed by the card networks”
Examples of losses – Financial Services:
• The insured was notified by the police that two of its IP
addresses were infected by a form of malware.
• The IP addresses were sending high volumes of files to two IP
addresses associated with a BotNet that the policy had
infiltrated and suspended.
• After an extensive forensic investigation, the insured
determined that PII for 10,000 retirement plan participants
was compromised
• Assisted the Insured with retaining outside counsel, a forensic
team, outside crisis management consultant credit
monitoring)
This breach cost over $1,400,000 due in large part to the
extensive forensic evaluation, which successfully limited the
notification group from the entirety of the insured’s customer
based to only a portion thereof.
Examples of losses – Human error..
• Large Multi-National Business Organization
• Insured suffered an international data breach following the theft of an
employee’s unencrypted laptop from his home. The laptop contained sensitive
and personally identifiable information of the Insured’s employees, former
employees and certain clients
• The information related to individuals in 11 different jurisdictions, including the
UK and presented great challenges for the outside lawyers
• Regulators in 2 different jurisdictions were notified and investigations by the
regulators are on-going so we are uncertain as to whether there will be any fines
applied.
What is the role of insurance/reinsurance market: what can be
covered
Two different approaches
• SERVICE MODEL
o Key vendor relationships in place
o Breach management expertise and staff
• BUCKET MODEL
o Insured has to manage a breach entirely.
o Breaches can be more costly
27
What can be covered
• Legal liability for computer security breaches - Network Security Liability
• Legal liability for privacy breaches – Privacy Liability
• Regulatory actions and scrutiny
• PCI fines and penalties
• Notification cost
• Legal cost and forensic/ investigation cost
• Call center cost
• Crisis management
• Credit monitor and identity monitor
• Cyber – Extortion
• Online media content
• Business interruption coverage including extra expense
• Loss or damage to data/information
28
If you could answer all the following stop listening!
• Call a lawyer who is knowledgeable in this area?
• How did this happen and are we confident the situation is not continuing?
• Is it a breach?
• What type of information is involved?
• Where are the customers located?
• Are local or global laws triggered?
• What are the PR issues involved?
• Do we offer credit monitoring/patrol?
• Do we hire a call center to take the calls?
• What does the call script look like?
• How do our employees answer questions?
• How do we notify the media and what do we say?
• Do we need to notify the police?
• Should we involve the Secret Service?
• Do we need to change our business practices?
29
How we cover it
•d
1
Discovery of a
breach by the
Insured
The
Insured email us or
contacts
the call
centre in
Toulousse
Call Center
sends
report to
Reposnse
Team
Response
Team
contacts the
Insured
The BR Team
contacts the
Insured to
agree a
tailored made
plan of action.
2
Legal
Services
Vendor
contacts
Insured
Access to
legal
experts
who will
advise and
coordinate
the
response
3
4
5
Forensic Experts
to commence
investigations
Notification to
affected third
Parties
Offering of CM or
Data Alert
Public Relations
and crisis
management
specialists
Specialists will
provide a
Forensic
notification/mail
experts
ing service to
investigate
the Insured
the existence,
lessening the
cause and
burden of
extent of the
mitigating the
breach.
effects.
Plan to
mitigate
reputational
risk.
Why we use this model.
“We’ve already had your first breach for you”
• Focus on solving the customer’s problems, not just selling risk transfer
• Dedicated breach response service, since breaches are very different from liability
claims
• Hand-picked vendors, because expertise makes a big difference for claim outcome, but
most companies don’t have the in-house expertise to respond to a breach
• Encourage clients to use the services for even the smallest breaches, since little
breaches can be big problems if they aren’t handled well
• One e-mail or one phone call to activate services, because many companies want to
offload the dirty work as well as the risk
What do we consider to assess exposure ?
• Application Form
• Revenues
• Encryption and Portable Media Controls – laptops, USBs, back-up tapes
• How much data does the organisation have? What type of data is it?
• PCI compliance – where applicable
• Physical Controls
• Culture
• Third Party Audits / Vendor Management
• Content Controls
• External Websites – social networking
• Call or meeting with the client.
32
Are the Cyber losses shared with other policies?
• General Liability
• Will GL insurers absorb this risk unlike the US, where only property damage and
bodily injury are covered by GL policies?
Can they get to grips with the claims and service demands?
• Services
• Constrained supply of breach response services
• Currently much more costly* outside of the US due to fewer specialist
suppliers and multiple language demands:
• Legal – Up to 150% more
• Forensics – Up to 200% more
• Notification - Comparable
• Call centre – Up to 200%
* All Beazley estimates
33
Are the Cyber losses shared with other policies?
• Crime
o Commercial crime and FI crime
o Theft of fund vs theft of data?
o Improper personal gain ?
• E&O
o Third party claim covered ?
o First party loss i.e. Business interruption?
• Property policy
o Business interruption
• D&O
o Shareholder action
34
Conclusion
In summary..
• It’s a growing market
• Intensive use of technology has created new evolving risks
• It’s not just about IT…
• All companies are exposed regardless of size..
• There are already large losses and many other unknown
• It’s not a questions of if but when …
• The insurance and reinsurance market can provide coverage but above all
expertise and services… to protect..
35
“It
takes 20 years to build a reputation
and five minutes to ruin it.”
Warren Buffett
36