Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber Insurance 101 South Texas Chapter Risk & Insurance Management Society May 17, 2017 Matt C. Green, Marsh.

Published byViolette Larivière Modified over 6 years ago

Similar presentations

Presentation on theme: "Cyber Insurance 101 South Texas Chapter Risk & Insurance Management Society May 17, 2017 Matt C. Green, Marsh."— Presentation transcript:

1 Cyber Insurance 101 South Texas Chapter Risk & Insurance Management Society
May 17, 2017 Matt C. Green, Marsh

2 Cyber Insurance Potential Threat Environment
September 19, 2018

3 Cyber Insurance Cyber Attacks: A Growing Global Risk
Costs businesses $400B+ per year. The world is becoming more dependent on the internet - with the quantity of data in circulation apparently doubling each year and estimates that there will be 50 billion connected devices in the world by 2020 – 6.5 devices for every person on the planet. [1] [1 September 19, 2018

4 Cyber Insurance What type of information is at risk?
Consumer Information Credit Cards, Debit Cards, and other payment information Social Security Numbers, ITIN’s, and other taxpayer records Customer Transaction Information, like order history, account numbers, etc. Protected Healthcare Information (PHI), including medical records, test results, appointment history Personally Identifiable Information (PII), like Drivers License and Passport details Financial information, like account balances, loan history, and credit reports Non-PII, like addresses, phone lists, and home address that may not be independently sensitive, but may be more sensitive with one or more of the above Employee Information Employers have at least some of the above information on all of their employees Business Partners Vendors and business partners may provide some of the above information, particularly for Sub-contractors and Independent Contractors All of the above types of information may also be received from commercial clients as a part of commercial transactions or services In addition, B2B exposures like projections, forecasts, M&A activity, and trade secrets

5 Cyber Insurance What Makes Cyber Risk Unique?
Tech Process People Cyber Risk Cyber Risk combines: Technology, which is: Complex Dynamic Obscure Dumb Process, which is: Easy to say Hard to do People, who are: Smart Independent Adaptable Irrational

6 Cyber Insurance Governance key as regulatory scrutiny persists
48 State Breach Notification Laws – Rules for notifying customers/attorney generals when data breached Massachusetts 201 CMR 17 – Requires proactive information security to keep resident’s data safe Red Flag Rules imposed by Federal Trade Commission – Requires sign-off by Board of Directors Payment Card Industry Data Security Standards (PCI DSS) – 12 requirements to protect credit card data Fair and Accurate Credit Transaction Act (FACTA) HIPAA HITECH - Health Information Technology for Economic and Clinical Health Act expands HIPAA data security requirements to business associates doing business with healthcare organizations Children’s Online Privacy Protection Act Gramm-Leach-Bliley Act Fair Credit Reporting Act Computer Fraud and Abuse Act State attorney general actions and consumer protection laws September 19, 2018

7 Simplified Data Breach Timeline
Cyber Insurance Simplified Data Breach Timeline Actual or alleged theft, loss, or unauthorized collection/disclosure of confidential information that is in the care, custody or control of the Insured, or a 3rd for whom the Insured is legally liable. Discovery can come about several ways: Self discovery: usually the best case Customer inquiry or vendor discovery Call from regulator or law enforcement Discovery Forensic Investigation and Legal Review Forensic tells you what happened Legal sets out options/obligations First Response Public Relations Notification Remedial Service Offering External Issues Income Loss Damage to Brand or Reputation Regulatory Fines, Penalties, and Consumer Redress Civil Litigation Long-Term Consequences September 19, 2018

8 Cyber Insurance Key Insurance Coverages
Description Covered Costs First Party Cover 1st Party Insurance coverage: direct loss and out of pocket expense incurred by insured Business Income/ Extra Expense Interruption or suspension of computer systems due to a network security breach. Coverage may be added to include system failure. Loss of Income Costs in excess of normal operating expenses required to restore systems Dependent business interruption Forensic expenses Data Asset Protection Costs to restore, recreate, or recollect your data and other intangible assets that are corrupted or destroyed. Restoration of corrupted data Vendor costs to recreate lost data Event Management Costs resulting from a network security or privacy breach: Forensics Notification Credit Monitoring Call Center Public Relations Sales Discounts Cyber Extortion Network or data compromised if ransom not paid Investigation Negotiations and payments of ransoms demanded Third Party Cover 3rd Party insurance coverage: defense and liability incurred due to harm caused to others by the insured. Privacy Liability Failure to prevent unauthorized access, disclosure or collection, or failure of others to whom you have entrusted such information, for not properly notifying of a privacy breach. Liability and defense Third party trade secrets Notification to individuals Investigation costs Costs related to public relations efforts Network Security Liability Failure of system security to prevent or mitigate a computer attack. Failure of system security includes failure of written policies and procedures addressing technology use. Bank lawsuits Consumer Lawsuits Privacy Regulatory Defense Costs Privacy breach and related fines or penalties assessed by Regulators. Investigation by a Regulator Liability and Defense costs PCI / PHI fines and penalties Prep costs to testify before regulators Consumer / Bank lawsuits

9 Cyber Insurance Carrier Approach – Cyber Policy Breach/Notification Costs
Currently there are two approaches in the market: Providing a dollar sublimit Pros: Insured maintains control of the process Insured knows exactly how much money they have available for an “event” Can be outside the aggregate limit of liability Cons: Insurer may not agree to all costs incurred Insurer may not approve insured’s selected vendors Dollar sublimit may not be sufficient to respond to all costs associated with an “event” Providing a per person sublimit Typically outside the aggregate limit of liability Insured selects response firm from a panel counsel list The response is handled by the insurer The Insured hands over the response to the insurer’s vendors Larger clients, the per person sublimit removes control which they expect to maintain Typically only offered to companies with <$5B in revenue September 19, 2018

10 Cyber Insurance Carrier Approach – Value Added Services
Partnerships With Third Party Vendors Loss Prevention Cybersecurity risk assessment. “Dark Web” data mining and monitoring. Vendor security ratings. Employee education (e.g., phishing). Vulnerability scanning. Claims Breach coach. Incident response, including forensics. Crisis communications. Information Sharing Business Continuity Planning/Resiliency

11 TYPES OF POLICIES Cyber Insurance Understanding the Gaps in Coverage
GENERAL LIABILITY PROPERTY ERRORS AND OMISSIONS FIDELITY AND CRIME D&O TYPES OF POLICIES

12 Cyber Insurance How Does a Cyber Policy Fill Gaps in Traditional P&C Policies
September 19, 2018

13 Cyber Insurance What’s happening in the insurance market today?
Business Interruption / Property Damage Cyber Extortion Social Engineering Trends & Developments Standalone Cyber Insurance Increasing Limits Larger Losses Abundant and Increasing Capacity

14 Cyber Insurance Cyber Market Update
In Q4 2016, cyber rates increased by an average of 1.4% for all industries within Marsh’s client base. Competition among insurers is strengthening for clients in all revenue segments and all industry sectors, including higher- exposure classes like retail and health care as well as emerging classes like critical infrastructure and manufacturing. Sub-limits for certain cyber coverages (for example, notification, payment card, and regulatory costs) are trending higher, with many clients exploring “full” limits for these covers. Clients continue increasing their total program size, due in part to a growing recognition of the risk. Overall, insurer appetite remains strong, with a market-wide focus on growth in 2017 and many carriers developing new coverages and services. New entrants continue to proliferate, both domestically and in the London market. September 19, 2018

15 Cyber Insurance Current State of Underwriting
Growing Market Gross written premiums expected to increase from $2.5B in 2014 to $7.5B in 2020. Capacity remains steady at approximately $500M. New area of opportunity in otherwise soft Property and Casualty markets. Traditional or “legacy” Cyber insurers threatened by naïve capacity. Opportunity Riddled With Uncertainty Where else (which policies) are insurers exposed to Cyber claims? Aggregation and concentration continue to be a major concern.

16 Cyber Insurance Traditionally Uninsurable Cyber Risks
Property Damage caused or contributed to by a cyber event (with growing exceptions). Property carriers starting to provide some Cyber Business Interruption coverage; many exclude it. Bodily Injury caused or contributed to by a cyber event (with exceptions). Misappropriation of Trade Secrets (direct loss). Patent Infringement Liability. September 19, 2018

17 Cyber Security Cyber Risk Management
Cyber Insurance The Next Evolution of Cyber Risk Cyber Security Cyber Risk Management Cyber Security is a problem to be solved Cyber Security issues can be prevented Cyber Security is a technology problem Cyber Security is a problem for the IT department Cyber Security is a temporary issue Cyber Security is all about (data breaches | cyber terrorism | <insert other scenario here> Cyber Risk is a race without end Cyber Risk cannot be eliminated Cyber Risk Management encompasses people, processes, and technology. Cyber Risk Management engages the entire enterprise Cyber Risk Management is a permanent entry on the risk register Cyber Risk is a multitude of issues reflecting the pervasive nature of technology

18 Outside Vendors Common practice to require Cyber coverage for outside vendors Take overall services into account when requiring Cyber coverage Reasonable to request that coverage be maintained for virtually all technology related vendors Many times requirement is packaged with Technology E&O insurance requirements Sample Wording “…Costs to be covered by this insurance policy shall include without limitation: (a) costs to notify individuals whose Personal Data was lost or compromised; (b) costs to provide credit monitoring and credit restoration services to individuals whose Personal Data was lost or compromised; (c) costs associated with third party claims arising from the Security Breach or loss of Personal Data, including litigation costs and settlement costs; and (d) any investigation, enforcement or similar miscellaneous costs. Such insurance shall provide coverage for up to $x,000, (x million dollars). For the purposes of this Section, " Security Breach" means (1) the failure by the Vendor to properly handle, manage, store, destroy or otherwise control, or the unauthorized disclosure by the Vendor of: (a) Personal Data in any format or (b) third party corporate information in any format specifically identified as confidential and protected under a confidentiality agreement or similar contract; (2) an unintentional violation of the Vendor's privacy policy or misappropriation that results in the violation of any applicable data privacy laws or regulations; or (3) any other act, error, or omission by Vendor in its capacity as such which is reasonably likely to result in the unauthorized disclosure of Personal Data…”

19 Cyber Insurance 5 Best Practices
When In Doubt, ENCRYPT Know where your data is Know what you can do with it Remind your staff of the rules Address your data collection and deletion policy

20

Download ppt "Cyber Insurance 101 South Texas Chapter Risk & Insurance Management Society May 17, 2017 Matt C. Green, Marsh."

Similar presentations

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.
Insurance in the Cloud Ben Hunter, Canadian Underwriting Specialist Technology Insurance Specialty Chubb Insurance Company of Canada.

Insurance in the Cloud Ben Hunter, Canadian Underwriting Specialist Technology Insurance Specialty Chubb Insurance Company of Canada.
Presented at: Ctuit Software and Lathrop & Gage LLP Food & Hospitality Roundtable San Francisco, CA April 29, 2013 Presented by: Leib Dodell, Esq.

Presented at: Ctuit Software and Lathrop & Gage LLP Food & Hospitality Roundtable San Francisco, CA April 29, 2013 Presented by: Leib Dodell, Esq.
©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.

©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.
Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.

Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
Cyber Insurance Today: Lots of Interest, Lots of Product Innovation, and Lots of Risk Richard S. Betterley, CMC Betterley Risk Consultants, Inc. Sterling,

Cyber Insurance Today: Lots of Interest, Lots of Product Innovation, and Lots of Risk Richard S. Betterley, CMC Betterley Risk Consultants, Inc. Sterling,
Lockton Companies International Limited. Authorised and regulated by the Financial Services Authority. A Lloyd’s Broker. Protecting Your Business from.

Lockton Companies International Limited. Authorised and regulated by the Financial Services Authority. A Lloyd’s Broker. Protecting Your Business from.
Forensic and Investigative Accounting Chapter 16 Cybercrime Loss Valuations © 2011 CCH. All Rights Reserved. 4025 W. Peterson Ave. Chicago, IL 60646-6085.

Forensic and Investigative Accounting Chapter 16 Cybercrime Loss Valuations © 2011 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL
Financial Institutions – Cyber Risk Managing Cyber Risks In An Interconnected World State Compensation Insurance Fund Audit Committee Meeting – February.

Financial Institutions – Cyber Risk Managing Cyber Risks In An Interconnected World State Compensation Insurance Fund Audit Committee Meeting – February.
INFORMATION SECURITY & PRIVACY OVERVIEW September 23, 2014.

INFORMATION SECURITY & PRIVACY OVERVIEW September 23, 2014.
Presented by: Jamie Orye, JD, RPLU Beazley Group Pennsylvania Association of Mutual Insurance Companies Annual Spring Conference March 12, 2015.

Presented by: Jamie Orye, JD, RPLU Beazley Group Pennsylvania Association of Mutual Insurance Companies Annual Spring Conference March 12, 2015.
BACKGROUND  Hawkes Bay Holdings/Aquila Underwriting LLP  Established 2009 utilising Lloyd’s capacity: Canopius 4444 50% Hiscox 33 50% to May 2010, replaced.

BACKGROUND  Hawkes Bay Holdings/Aquila Underwriting LLP  Established 2009 utilising Lloyd’s capacity: Canopius % Hiscox 33 50% to May 2010, replaced.
Cyber Risk Enhancement Coverage. Cyber security breaches are now a painful reality for virtually every type of organization and at every level of those.

Cyber Risk Enhancement Coverage. Cyber security breaches are now a painful reality for virtually every type of organization and at every level of those.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.

Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.
NEFEC - Cyber Liability MICHAEL GUZMAN, ARM ARTHUR J. GALLAGHER & CO.

NEFEC - Cyber Liability MICHAEL GUZMAN, ARM ARTHUR J. GALLAGHER & CO.
Overview of Cybercrime

Overview of Cybercrime
WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter Meeting Thursday, July 25, 2013 11:30 am – 12:30 pm.

WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter Meeting Thursday, July 25, :30 am – 12:30 pm.

Similar presentations

Ads by Google