Cyber Risks – Perception on Potential Losses
Transcrição
Cyber Risks – Perception on Potential Losses
Cyber Risks – Perception on Potential Losses Alessandro Lezzi – Head of TMB International Rio de Janerio 9th April 2014 Agenda • ‘Cyber’ – an overview o The ‘Cyber’ market o Market dynamics: USA vs International • What’s at risk? What is ‘Cyber’ risk and why is it a threat? • ‘Cyber’ incidents, data breaches potential and real losses • What is the role of insurance/reinsurance market: what can be covered • Q&A 2 ‘Cyber’ – an overview 3 Why are people excited about cyber? • Rapid growth in the amount of data held and used by businesses • The US has set a precedent – Laws and regulations developing fast • Businesses’ reputations are at stake • The market is huge 4 A fast growing market… • Estimates of the value of the standalone cyber market in the US around $1 Billion • We have seen demand surge by 270% in the last 3 years • Estimate $ 5 Billion market in 2020 ($2 Billion ROW) Standalone Cyber Insurance: Premium Growth $70.000.000 2.500 $60.000.000 2.000 $50.000.000 $40.000.000 1.500 $30.000.000 1.000 $20.000.000 500 $10.000.000 $0 Premium Policy Count 2009 2010 2011 2012 22.000.000,00 37.687.090,00 51.064.566,00 59.546.529,00 207 712 1.366 1.972 - 5 Which industries are currently the main buyers ? • Healthcare • Retails • Higher education • FI and Banks • Hospitality • Law firms and profession • Telecommunication • Energy companies 6 Where is the international market? US versus non-US: drivers of demand for data breach insurance Strong impetus to buy Weak impetus to buy US Non US Data proliferation US Non US Regulation US Non US Media coverage We are nearing a tipping point … 7 Where is the international market? Regulation • Beginning to emerge • Fines may not be insurable unlike the US (e.g EU fines up to 2% of revenue under the draft EU regulation and FSA fines) • PR and high profile events will speed this up Public Relationship • Breaches getting more press and reputational damage is growing after a breach. In some cases is materially impacting share prices. • Lesson learnt from the USA - organisations becoming more prepared • Potential PR damage and breach management is already driving demand much earlier than in the USA cycle. 8 What is Cyber and why is it a threat? What is Cyber? • Cyber Security o Set of standards ISO 27002 Mainly Integrity, Confidentiality, Availability • Cyber Warfare o Politically motivated hacking o Information theft o Cause Disruption • Cyber Crime o Make money o Steal Data 10 What is Cyber in the insurance word? Cyber risk = any risk of financial loss, disruption or damage to the reputation of an organization from some sort of failure of its information technology systems Such a risk could materialize in the following ways: • deliberate and unauthorised breaches of security to gain access to information systems for the purposes of espionage, extortion or embarrassment. • unintentional or accidental breaches of security, which nevertheless may still constitute an exposure that needs to be addressed • operational IT risks due to poor systems integrity or other factors 11 The Cyber Threat • 19.7m pieces of data traded illegally online during the first six moths of 2012 Experian • Euro 27 Billion to Euro 400 Billion global cost of Cyber Crime per annum Verizon • Euro 2 Million average cost to an International organisations in 2013 Ponemon Institute 12 What’s at Risk? 13 Where are the client’s exposures? Network Security Liability Privacy Liability • Data Breach (theft of data, unauthorised access or use) • Transmission of a malicious code • Denial of service attack (DDoS) • Privacy Policy (internal) • Privacy Notice (external) • Data collected • Data shared with others 14 What data is at risk? • Information on applications, forms or other correspondence – name, address, NI/social security number, health plan information and income • Information about transactions – credit cards, debit cards, account balances and payment history • Information received from consumer reporting agencies, credit references, employers, insurance companies – credit history, credit worthiness • Information on employees – health records, NI/social security numbers, address etc • Network as a critical asset in ....supply chain, financing, infrastructure functions, Internet etc 15 What data is at risk? Security Risk in an outsourced world Even if your clients are outsourcing they are the data owner (Controller). How involved are Risk Management with 3rd party contractors (Processor)– do they mirror the company’s processes, insurance? 16 Where do data breaches come from? 17 ‘Cyber’ incidents, data breaches potential and real losses 18 Impact to business: potential losses • Loss of reputation/Customer trust o Financially difficult to quantify • Incident clean up o May require expert assistance • Third party claims o From clients and individuals • Regulatory penalties o Legal requirements • Direct revenue o If business in online and website affected 19 Cost of a data breach Cost per record: $136 DIRECT COSTS Notification Call Center Identity Monitoring (credit/non-credit) Identity Restoration Discovery / Data Forensics Loss of Employee Productivity INDIRECT COSTS Additional Security and Audit Requirements Lawsuits Regulatory Fines Loss of Consumer Confidence Loss of Funding $47.00 $89.00 © Ponemon Institute 2013 Real losses.. • 6 of top 10 insured breaches in world • 340 breaches last year • 1,000+ breaches handled since we started the class. • Averaging 1 Per Day in 2013 • Average trend for 2014 is 2 to 3 a day.. • 80% of claims spend on service and managing breaches 21 Examples of losses – Retail Industry: • Unauthorized intrusion at Insured’s POS system • 100 Million customer credit card account information compromised • Insured stated “$61 million in expenses related to the breach during the quarter, $44 million were offset by an insurance payment and breach-related expenses may include costs for reissuing cards, lawsuits, government probes and enforcement proceedings, legal expenses, investigative and consulting fees, and capital investment” • but… experts said “it was too early to estimate how big the bill would be, but it would certainly be in the hundreds of millions of dollars and could top $1 billion” Examples of losses – Credit Card processor • Large Credit card processor • Network intrusion by external hacker: 1.5 million credit card record compromised • Incident discovered and made public by a blogger.. • “Cost around $ 95 Million breakdown of specific expenses : o $60 million for professional fees and other costs associated with the investigation and remediation, incentive payments to certain business partners and costs associated with credit monitoring and identity protection insurance; o $35.9 million for the total of estimated fraud losses, fines and other charges that will be imposed by the card networks” Examples of losses – Financial Services: • The insured was notified by the police that two of its IP addresses were infected by a form of malware. • The IP addresses were sending high volumes of files to two IP addresses associated with a BotNet that the policy had infiltrated and suspended. • After an extensive forensic investigation, the insured determined that PII for 10,000 retirement plan participants was compromised • Assisted the Insured with retaining outside counsel, a forensic team, outside crisis management consultant credit monitoring) This breach cost over $1,400,000 due in large part to the extensive forensic evaluation, which successfully limited the notification group from the entirety of the insured’s customer based to only a portion thereof. Examples of losses – Human error.. • Large Multi-National Business Organization • Insured suffered an international data breach following the theft of an employee’s unencrypted laptop from his home. The laptop contained sensitive and personally identifiable information of the Insured’s employees, former employees and certain clients • The information related to individuals in 11 different jurisdictions, including the UK and presented great challenges for the outside lawyers • Regulators in 2 different jurisdictions were notified and investigations by the regulators are on-going so we are uncertain as to whether there will be any fines applied. What is the role of insurance/reinsurance market: what can be covered Two different approaches • SERVICE MODEL o Key vendor relationships in place o Breach management expertise and staff • BUCKET MODEL o Insured has to manage a breach entirely. o Breaches can be more costly 27 What can be covered • Legal liability for computer security breaches - Network Security Liability • Legal liability for privacy breaches – Privacy Liability • Regulatory actions and scrutiny • PCI fines and penalties • Notification cost • Legal cost and forensic/ investigation cost • Call center cost • Crisis management • Credit monitor and identity monitor • Cyber – Extortion • Online media content • Business interruption coverage including extra expense • Loss or damage to data/information 28 If you could answer all the following stop listening! • Call a lawyer who is knowledgeable in this area? • How did this happen and are we confident the situation is not continuing? • Is it a breach? • What type of information is involved? • Where are the customers located? • Are local or global laws triggered? • What are the PR issues involved? • Do we offer credit monitoring/patrol? • Do we hire a call center to take the calls? • What does the call script look like? • How do our employees answer questions? • How do we notify the media and what do we say? • Do we need to notify the police? • Should we involve the Secret Service? • Do we need to change our business practices? 29 How we cover it •d 1 Discovery of a breach by the Insured The Insured email us or contacts the call centre in Toulousse Call Center sends report to Reposnse Team Response Team contacts the Insured The BR Team contacts the Insured to agree a tailored made plan of action. 2 Legal Services Vendor contacts Insured Access to legal experts who will advise and coordinate the response 3 4 5 Forensic Experts to commence investigations Notification to affected third Parties Offering of CM or Data Alert Public Relations and crisis management specialists Specialists will provide a Forensic notification/mail experts ing service to investigate the Insured the existence, lessening the cause and burden of extent of the mitigating the breach. effects. Plan to mitigate reputational risk. Why we use this model. “We’ve already had your first breach for you” • Focus on solving the customer’s problems, not just selling risk transfer • Dedicated breach response service, since breaches are very different from liability claims • Hand-picked vendors, because expertise makes a big difference for claim outcome, but most companies don’t have the in-house expertise to respond to a breach • Encourage clients to use the services for even the smallest breaches, since little breaches can be big problems if they aren’t handled well • One e-mail or one phone call to activate services, because many companies want to offload the dirty work as well as the risk What do we consider to assess exposure ? • Application Form • Revenues • Encryption and Portable Media Controls – laptops, USBs, back-up tapes • How much data does the organisation have? What type of data is it? • PCI compliance – where applicable • Physical Controls • Culture • Third Party Audits / Vendor Management • Content Controls • External Websites – social networking • Call or meeting with the client. 32 Are the Cyber losses shared with other policies? • General Liability • Will GL insurers absorb this risk unlike the US, where only property damage and bodily injury are covered by GL policies? Can they get to grips with the claims and service demands? • Services • Constrained supply of breach response services • Currently much more costly* outside of the US due to fewer specialist suppliers and multiple language demands: • Legal – Up to 150% more • Forensics – Up to 200% more • Notification - Comparable • Call centre – Up to 200% * All Beazley estimates 33 Are the Cyber losses shared with other policies? • Crime o Commercial crime and FI crime o Theft of fund vs theft of data? o Improper personal gain ? • E&O o Third party claim covered ? o First party loss i.e. Business interruption? • Property policy o Business interruption • D&O o Shareholder action 34 Conclusion In summary.. • It’s a growing market • Intensive use of technology has created new evolving risks • It’s not just about IT… • All companies are exposed regardless of size.. • There are already large losses and many other unknown • It’s not a questions of if but when … • The insurance and reinsurance market can provide coverage but above all expertise and services… to protect.. 35 “It takes 20 years to build a reputation and five minutes to ruin it.” Warren Buffett 36