Presentation is loading. Please wait.

Presentation is loading. Please wait.

Indian Actuarial Profession Serving the Cause of Public Interest

Published byChristopher Henderson Modified over 6 years ago

Similar presentations

Presentation on theme: "Indian Actuarial Profession Serving the Cause of Public Interest"— Presentation transcript:

1 Indian Actuarial Profession Serving the Cause of Public Interest
28th India Fellowship Seminar Topic: Cyber Risk Insurance and the Role of Cyber Security: Why is this the need of the hour and challenges faced by insurance companies? Guide Name: Mehul Shah Presenters Name: 1. Mark R. Shapland, FCAS, FSA, MAAA 2. Jean Cloutier, FCAS Date: 9 November 2017 Mumbai Indian Actuarial Profession Serving the Cause of Public Interest

2 Acknowledgements We developed these slides to help us discuss the key issues and opportunities regarding Cyber Risk Insurance and the Role of Cyber Security. The material is drawn mainly from two papers: “Ten Key Questions on Cyber Risk and Cyber Risk Insurance” The Geneva Association “Cybersecurity: Impact on Insurance Business and Operations” Joint Risk Management Section of the CIA, CAS and SOA Both of these papers can serve as a valuable source for further research and contain a wealth of information which far exceed our limited time slot for presentation.

3 Agenda What is Cyber Risk? Cyber Risk Insurance Role of Cyber Security
Challenges for the Industry Q&A

4 What is Cyber Risk? Any risk emerging from the use of information and communication technology (ICT) that compromises the confidentiality, availability, or integrity of data or services Cyber risk is either caused by natural disasters (e.g., flooding or earthquakes) or is man-made where the latter can emerge from human failure, cyber criminality (e.g., extortion, fraud), cyberwar, or cyber terrorism

5 What is Cyber Risk? The impairment of operational technology (OT) eventually leads to business disruption, (critical) infrastructure break down, and physical damage to humans and properties It is characterised by interdependencies, potential extreme events, high uncertainty with respect to data and modelling approaches, and the risk of change

6 What is Cyber Risk? Cyber risk can be categorized according to several dimensions The most obvious approach would be to differentiate between man-made threats and such caused by natural disasters. For example, flooding, earthquake and fire alike can cause physical damage to IT infrastructure such as servers and networks

7 What is Cyber Risk? Man-made cyber risk can be classified according to: the activity (criminal, non-criminal, intentional, accidental), the type of attack (e.g., malware, insider attack, spam, DoS, botnet, hard- or software failure), or the source (e.g., terrorists, criminals, governments) The attacks depend mainly on the activity and are reinforced by network effects (e.g., worms) The vulnerability of the company then determines whether an attack is successful

8 What is Cyber Risk? Consequences: which in turn leads to monetary loss
depend on the aim of the attackers (e.g., espionage, sabotage, extortion, exploiting information) might compromise the availability of IT services might compromise the integrity and confidentially of data which in turn leads to monetary loss reputational damage business interruption, or damage to humans

9 Agenda What is Cyber Risk? Cyber Risk Insurance Role of Cyber Security
Challenges for the Industry Q&A

10 Cyber Risk Insurance Cyber insurance market is very small at present, but expected to increase significantly The U.S. market is much more developed than its European counterpart, partly because the U.S. have had reporting requirements for cyber attacks in place for several years with relatively heavy fines for violations Outside the U.S., insurance coverage for cyber risk is not well known and little used

11 Cyber Risk Insurance Conventional GL policies are frequently silent on whether losses caused by cyber incidents are covered Often the terms of contract are even silent on what cyber events exactly would be included While the customer might think that cyber incidents are covered, the insurer assumes that they are not

12 Cyber Risk Insurance Insurers may seek more explicit terms of contract in two ways, either: the insurer could adapt its policies by explicitly excluding cyber risks in traditional policies and providing dedicated policies (standalone cyber policy), or it could explicitly include cyber risks and adjust the premiums accordingly (affirmative cyber policy)

13 Cyber Risk Insurance Besides the low coverage of cyber risk in businesses, the market of cyber insurance for individuals is even less well-developed There exist only very few personal cyber insurance products, and most people are not even aware of their existence

14 Cyber Risk Insurance Affirmative cyber policies offer the following advantages: Ensures good degree of information exchange to support the underwriting Establishes clear / definable coverage set Minimizes litigation among other lines of insurance Ensures right experts are involved in risk assessment

15 Cyber Risk Insurance Capacity now available up to US$ 350 M
Initially designed as Property Damage and Business Interruption Uses IT consultancy and cyber vendors to support underwriting

16 Cyber Risk Insurance Other coverages now offered as market expanding:
Non damage business interruption Loss mitigation expenses Digital asset restoration Cyber extortion Crisis management costs

17 Cyber Risk Insurance Other coverages now offered as market expanding:
Bodily injury Contingent business interruption System failure Notification costs

18 Agenda What is Cyber Risk? Cyber Risk Insurance Role of Cyber Security
Challenges for the Industry Q&A

19 Role of Cyber Security Cyber Security budgets for many midsize and small companies are minimal As a result, those companies often have little or no IT expertise, are unable to follow through on IT consultant recommendations and accordingly focus only on “putting out fires” rather than managing long-term cyber risk issues

20 Role of Cyber Security Currently, there’s a general lack of objective proof that particular controls—policies, processes, technologies and otherwise—have measurable and positive risk management impacts Limited technology solutions exist for addressing cyber risks Most vendor options fall short of needed protection, and they don’t seem to be improving Technical controls are often too complicated and/or costly for businesses to implement

21 Role of Cyber Security The lack of available information about which cyber risks are most likely to materialize compounds these problems Without more security intelligence, most organizations cannot make informed decisions about where to best spend their limited cyber security budgets Some companies may be inclined to buy cyber security insurance rather than spend money on technology solutions and other cyber security controls They may opt to transfer risk entirely rather than invest in expensive and largely unproven cyber risk mitigation efforts

22 Agenda What is Cyber Risk? Cyber Risk Insurance Role of Cyber Security
Challenges for the Industry Q&A

23 Challenges for the Industry
Increasing regulatory pressure: UK Prudential Regulatory Authority expects firms to be able to identify, quantify and manage cyber insurance underwriting risk AM Best expects companies to be proactive and forthcoming with evaluation and measurement of cyber exposures

24 Challenges for the Industry
General Liability is a large, profitable business for many insurers Lack of uniformity in implementation of cyber exclusions Insureds will test the markets if their current carrier cannot provide necessary coverages Cyber Risk is a growing line of business, with potential to generate future revenue increases

25 Challenges for the Industry
Many of the risks that arise in cyberspace are not new (e.g., intellectual property theft, lost profits, privacy and reputational damages), and other professions are looking to actuaries to take the lead Actuaries are uniquely qualified to process this information to develop new, and enhance existing, Cyber Risk insurance products

26 Challenges for the Industry
One major issue in Cyber Risk insurance is what level of cyber security carriers should demand from the insured If these levels are made too onerous, the marketability of the product will suffer However, standards that are too lax will encourage insureds to skimp on expensive cyber protection solutions Some have expressed the opinion that demanding the latest software patch updates from all employees is unreasonably onerous

27 Challenges for the Industry
There are many causes of loss, and a data breach may be caused by several While not all of these causes can be controlled by insureds, one report found that 90 percent of cyber attacks over the previous year were preventable with simple or intermediate systems in place There’s clearly room for improvement in most organizations when it comes to cyber risk management

28 Challenges for the Industry
Insurance should not cover those breaches in the insured’s control it exists to cover those things outside the insured’s control Carriers should motivate insureds to do what they can, through both compulsory precautions and policy terms

29 Challenges for the Industry
Frequency and severity of events are the “holy grail” of cyber security risk management While companies can analyze the frequency of cyber incidents based on some available data, estimating severity is more difficult Different industries are held to different standards (e.g., the medical industry has higher cyber claims frequency because of the rigorous information security and privacy standards of the Health Insurance Portability and Accountability Act in the U.S.)

30 Challenges for the Industry
Frequency is short tailed and companies generally find out quickly if they have been breached This has two implications: First, it makes it easier to price, and therefore a more insurable risk Second, it is rare more than one policy will be triggered with one event, and those rare events, generally related to cloud providers, can be specifically excluded from contracts

31

Download ppt "Indian Actuarial Profession Serving the Cause of Public Interest"

Similar presentations

Insurance in the Cloud Ben Hunter, Canadian Underwriting Specialist Technology Insurance Specialty Chubb Insurance Company of Canada.

Insurance in the Cloud Ben Hunter, Canadian Underwriting Specialist Technology Insurance Specialty Chubb Insurance Company of Canada.
Lockton Companies International Limited. Authorised and regulated by the Financial Services Authority. A Lloyd’s Broker. Protecting Your Business from.

Lockton Companies International Limited. Authorised and regulated by the Financial Services Authority. A Lloyd’s Broker. Protecting Your Business from.
Forensic and Investigative Accounting Chapter 16 Cybercrime Loss Valuations © 2011 CCH. All Rights Reserved. 4025 W. Peterson Ave. Chicago, IL 60646-6085.

Forensic and Investigative Accounting Chapter 16 Cybercrime Loss Valuations © 2011 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.

Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.
Sapient Insurance Partners. Overview & Services We have almost four decades of combined experience in the property & casualty insurance and reinsurance.

Sapient Insurance Partners. Overview & Services We have almost four decades of combined experience in the property & casualty insurance and reinsurance.
Overview of Cybercrime

Overview of Cybercrime
WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter Meeting Thursday, July 25, 2013 11:30 am – 12:30 pm.

WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter Meeting Thursday, July 25, :30 am – 12:30 pm.
Non Physical Business Interruption Malcolm Randles, Underwriter, Kiln Syndicate 510 01 February 2011.

Non Physical Business Interruption Malcolm Randles, Underwriter, Kiln Syndicate February 2011.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.

Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Liability Issues for TRIO Programs Managing Your Project’s Risk.

Liability Issues for TRIO Programs Managing Your Project’s Risk.
Forensic and Investigative Accounting Chapter 16 Cybercrime Loss Valuations © 2013 CCH Incorporated. All Rights Reserved. 4025 W. Peterson Ave. Chicago,

Forensic and Investigative Accounting Chapter 16 Cybercrime Loss Valuations © 2013 CCH Incorporated. All Rights Reserved W. Peterson Ave. Chicago,
Introduction to Information Security

Introduction to Information Security
Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.

Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.
New A.M. Best Cyber Questionnaire

New A.M. Best Cyber Questionnaire
Territory Insurance Conference, resilient future Mr Ralph Bönig, Special Counsel, Finlaysons Cyber Times and the Insurance Industry Territory Insurance.

Territory Insurance Conference, resilient future Mr Ralph Bönig, Special Counsel, Finlaysons Cyber Times and the Insurance Industry Territory Insurance.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.

Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
Restaurant 1. 2 There are several different types of restaurant classifications, including: Family Style Fine Dining Fast Food Buffet.

Restaurant 1. 2 There are several different types of restaurant classifications, including: Family Style Fine Dining Fast Food Buffet.
Legal Jeopardy: Whose Risk Is It?. SPEAKERS Jason Straight Chief Privacy Officer and Senior Vice President Cyber Risk Solutions at UnitedLex Patrick Manzo.

Legal Jeopardy: Whose Risk Is It?. SPEAKERS Jason Straight Chief Privacy Officer and Senior Vice President Cyber Risk Solutions at UnitedLex Patrick Manzo.

Similar presentations

Ads by Google