OESAI COMPREHENSIVE GENERAL INSURANCE TECHNICAL TRAINING

Cyber Insurance OESAI COMPREHENSIVE GENERAL INSURANCE TECHNICAL TRAINING Ezekiel Macharia Group Actuary - Jubilee Holdings Limited Day 2, Tuesday 10th November, 2015

AGENDA Cyber Risk & Cyber Risk Insurance Product Development Life Cycle – Demand Research & Pricing – Underwriting & Policy Terms – Claim Underwriting Conclusion

Insert Pictures no OESAI background Cyber Risk any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems (includes networks & the internet).

Insert Pictures no OESAI background Key Insurable Cyber Risks Theft: – Identity theft – Theft of digital assets Business interruption – Lost Income – Recovery of damaged data records – Reputational damage – Cost of Credit Monitoring of impacted clients Malware & Human Error (bugs) Legal suits alleging trademark/copyright infringement

Cyber Risk: Malware Software that is intended to damage or disable computers (systems) Malware (Malicious Software) COMMON TYPES OF MALWARE NameDescriptionExampleFunction Worm Exploit vulnerability of operating systems & spread without human intervention Infected sSpread & delivery payloads (most common) Trojan Trick user that they are using legitimate software Fake installation fileUsed to install other malwares Virus Software capable of copying itself and spreading to other computers (need human intervention) Script filesSpreading itself and carrying other malware AdwareAutomatically delivers advertsPop up AdsAnnoying/Deliver Spyware Bot Automatically perform a specific operation BotNets & SpambotsCo-ordinated attacks BugFlaw in system designHuman ErrorAllow attackers to bypass user authentication Ransomware Hold a computer captive - restrict user access Encrypted files/Locked down systemRansom to pay creator of malware Rootkit Remote access or control without detection BackdoorStealth entry to steal/alter/install or control Spyware Spying on user activity without knowledge Keystrokes collectorActivity monitoring & data harvesting

Case Study Kenya: Top Malware Attacks 79% of malicious software attacks in Kenya are worms Virus attack is only 2% Source: Technology Service Provider of Kenya Technology Service Providers of Kenya (TESPOK) ( ) tracks malware attacks in Kenya

Case Study Kenya: Top Malware Sources Top malware cyber attacks in Kenyan IT infrastructure are from China & USA sources (IP address) Attackers use sophisticated tools Source: Technology Service Provider of Kenya Attackers are international – any criminal in the world with an internet connection can now attack your clients business

Product Development? Demand Research: Is there need for cyber risk insurance? Pricing

Is there need for cyber risk insurance?

How developed is Cyber Security in OESAI member countries? Report developed by International Telecommunication Union (ITU) Key indicators for cyber security development are: Legal Technical capacity Organizational Capacity Building Cooperation Source: GLOBAL Cybersecurity Index & Cyberwellness Profiles Report 2015

Case study: Tanzania Cyber Crimes Bill (2015) Data Espionage Obtain data without permission Pornography Dissemination Publication of False Information Information – data/facts in form of pictures/text/symbols Racist/Xenophobic Material Publication or dissemination Unsolicited Messages Sms/ /Ads?? Cyber Bullying Bullying online Violation of Intellectual Property Infringement on commercial / non-commercial basis Laws supporting Insurable Risk Liability

Pricing Cyber Risk Strength of Security System Likelihood of intrusion Risk Management Culture Control in place & role of compliance & audit GSI Index Macro factors Frequency Severity Disaster Recovery Ability to recover from attack Rating of Service Providers Reliability of cloud providers, backup providers, website, etc Legal Fees & Fines IT Staff Costs Data restoration PR & Marketing Costs Extortion Customer Support Lost Income

Underwriting Cyber Insurance Policy Terms Underwriting considerations

Policy Terms Legal Liability Not complying with privacy laws Crisis Management Costs Informing customers, public relations & adverts Data Extortion Ransom Payment First Party Risks Third Party Risks Loss of Income As a result of network failure & downtime Data Recovery IT Staff overtime, data retrieval & verification Security Liability Liability arising from breach of security Multimedia Liability Liability arising from insured’s internet, advertising & marketing activities Professional Liability Liability arising out of negligence in providing IT Services

Underwriting considerations Business – Type of business – Size of business – Scope of the business Number of customers Multimedia – Presence on the Web – Data collected and stored Enterprise Risk Management (ERM) techniques applied by the business to protect its computer network and its assets. – Risk management procedure & culture Don’t tell anyone!! Non-disclosure of cyber risk policy

Claim Management In addition to traditional claim management, the insurer may want to hire Third Party IT experts to review the claims – post insurance underwriting

Claims Underwriting Comparing capacity of the insured at policy purchase date and claim date (moral hazard) – Ability of employees and others to access data systems – Utilization of antivirus and anti-malware software – Frequency of updates – Performance of firewalls Claim incidence details compared to risk-management techniques applied by the business to protect its network and its assets – what failed. Utilization of disaster response plan (DRP) when the claim occurred to the business’s networks, website, physical assets and intellectual property.

Conclusion Cyber risk is an emerging risk in the world Legal framework for insurable legal liability is generally under development across east & southern African countries There is demand for cyber risk insurance Where pricing data is not available – proxies can be developed Underwriting will depend on risk management and culture of the client

? QUESTIONS