Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber Insurance: Increasingly Relevant in 2018—Why?

Published byJanel Simon Modified over 5 years ago

Similar presentations

Presentation on theme: "Cyber Insurance: Increasingly Relevant in 2018—Why?"— Presentation transcript:

1 Cyber Insurance: Increasingly Relevant in 2018—Why?
Lockton Global Cyber Risk Practice Group

2 Privacy Liability: The Threat Landscape
Attacks are becoming much more sophisticated and targeted. APT PHISHING 78% 72% 95% 205 of Advanced Persistent Threats are initiated through social engineering IT or security related of phishing s sent on weekdays Median number of days that threat groups were present on a victim’s network before detection

3 A Change in Approach The threat landscape is now such that a prevention strategy only is outdated. Expect that your network has already been compromised and build resilience to minimize the size of the impact. People, Processes and Technology. The Board is now a major stakeholder. This is an enterprise risk and no longer sits only with the IT Department. Insure residual risk. Establishment of vendor relationships prior to a breach event Mitigation where possible through contract wording

4 Cyber Insurance Marketplace
Major Focus on Data Privacy No coverage/policy uniformity in the marketplace. Confusion if property insurance comes into play. Total capacity between the USA and London remains at approximately $300,000,000 and total gross premium is $2.7 billion Retail sector attacks in 2016/17 have had a material impact on the insurance market as those claims are being resolved. Capacity continues to increase every year. Insurers are increasingly excluding specific privacy risks or requiring additional underwriting scrutiny. Certain insurers are now excluding POS machines, Unencrypted Data and in some instances requiring additional information on vendor security. While some Carriers are granting full prior acts & first party coverage.

5 Cyber Insurers Market Update

6 Insurance approach to Cyber & Privacy Perils

7 Property Insurers Approach

8 Cyber Insurance Marketplace
INDEMNITY Reimbursement policies allow the insured to hire vendors (with consent from the carrier) Will vary by carrier and include outside counsel, IT forensics and public relations experts Breach Response expenses are sometimes subject to a sub-limit and will erode the policy aggregate limit VENDOR PANELS Automatic vendors provided by carriers—established breach panels Some carriers offer notification costs outside of the aggregate limit Some carriers offer notification costs per affected individual rather than monetary sub-limits

9 Ten Reasons to Consider Investing in Cyber Insurance
1. Advanced Persistent Threats Targeted attacks, known as APTs, have become increasingly difficult to detect, let alone stop. The emergence of the nation-state as an adversary leaves the majority of organizations vulnerable, regardless of the resources committed to defense. 2. Governance and an enterprise-wide risk management strategy The emergence of Cybersecurity as a governance issue that must be addressed by the board of directors is redefining the role of cyber insurance as purely a financial instrument to transfer risk. Cybersecurity involves the entire enterprise, with numerous stakeholders, no longer only the domain of the IT department. 3. Increasing regulatory risk Liability to boards of directors is expected to increase and give added weight to a focus on governance. SEC guidance published in 2011 highlights how regulators see cyber insurance as part of a strong enterprise risk management strategy. Many in the legal community see the launch in February 2014 of a federal Cyber security framework, (known as the NIST framework), as creating a standard of care to be used by plaintiff attorneys to allege negligence or worse.

10 Ten Reasons to Consider Investing in Cyber Insurance
4. A financial incentive Legislators are giving greater prominence to the role of cyber insurance. The failure to pass laws to drive stronger enterprise security has demonstrated the challenges in trying to enforce minimum standards. There is growing support for market-based incentives such as insurance that can reward strong Cybersecurity through discounted premium or broader coverage. 5. Vicarious risk to vendors, business associates Adversaries are focusing increasingly on third parties that have access to sensitive information and other critical assets of the target enterprise. Professional service firms or cloud-based solution providers are examples of business associates whose security may be weaker than that of their client and, consequently, provide an easier back door for the attacker. Liability for a breach of PII or PHI typically still rests with the enterprise data owner, even though a breach of the vendor’s network may have occurred. Cyber insurance addresses costs of responding to a breach and possible privacy regulatory action or civil litigation. 6. Insider threats Attacks from the inside continue to be hard to prevent. Cyber insurance covers the employee as perpetrator as well as an attack by a third party. This will not extend to an act involving the board of directors or executive team. 7. Security is not about compliance Treating security as a compliance exercise only will result in failure. For example, many organizations that are compliant with payment card industry data security standards have been breached.

11 Ten Reasons to Consider Investing in Cyber Insurance
8. Monetizing the cost of Cyber security One of the biggest challenges to the CISO is to quantify Cyber security risk in dollar terms to the executive team. The premium charged by an insurance company can help solve this problem. 9. Merger and acquisition activity The difficulty in evaluating the Cyber security posture in any acquisition target leaves the acquirer vulnerable. 10. Operational technology Industry sectors dependent on operational technology and industrial control systems are particularly vulnerable. Built primarily to be available 24/7 and to operate in isolation, these devices are increasingly being connected to the corporate information technology network and the Internet.

12 What Can Cyber Insurance Cover? -PII & PHI Data
Insurers do not address all enterprise assets at risk. The majority of premium spent by buyers was intended to address increasing liability from handling personally identifiable information (PII) or protected health information (PHI) and the costs from either unauthorized disclosure (a data breach) or a violation of the data subject’s privacy. Insurable costs range from data breach response expenses such as notification, forensics, and credit monitoring to defense costs, civil fines, and damages from a privacy regulatory action or civil litigation. Insurers also continue to address certain first-party risks, including the impact on revenue from attacks on corporate networks, extortion demands, and the costs to restore compromised data.

13 What Can Cyber Insurance Cover?
Insurable assets: Personally identifiable information and/or protected health information of employees or consumers Corporate Confidential Information Data breach response costs to include the following: Notification mailings & call center Credit monitoring Credit Correction IT forensics Public relations Defense costs and civil fines from a privacy regulatory action Defense costs and damages from civil litigation

14 What Can Cyber Insurance Cover?
Corporate information technology network: Addresses the loss of income as a consequence of network downtime. Certain insurers will also extend coverage to downtime of vendors on whom a policyholder is reliant. This is commonly known as “contingent business interruption.” Costs to restore compromised data Reimbursement for costs associated with an extortion threat Operational technology: A few insurers have begun to extend coverage beyond the information technology network to also include operational technology such as industrial control systems.

15 What Can Cyber Insurance Cover?
Reputation and Brand Insuring reputational risk from some form of cyber event remains out of the scope of the majority of insurers. At the time of writing, the London market has begun to innovate to address the financial loss after adverse media publicity. However, capacity remains constrained at $100,000,000 at best. Physical Assets Cyber security is no longer just about risks to information assets. A cyber attack can now cause property damage that also could lead to financial loss from business interruption, as well as liability from bodily injury or pollution, for example. An assumption that coverage should rest within a property or terrorism policy may not be accurate. Exclusionary language has begun to emerge and is expected to accelerate across the marketplace as losses occur. Dedicated products also have started to appear.

16 Insuring Agreements Available in Insurance
Network Security Liability Claim expenses and damages arising from network and non-network security breaches Multimedia Liability Claim expenses and damages arising from personal injury torts and intellectual property infringement (except patent infringement) Claim expenses and damages arising from electronic publishing (website) and other dissemination of matter Privacy Liability Claim expenses and damages emanating from a violation of a privacy law or regulation Common law invasion of privacy or infringement of privacy rights Privacy Regulatory Proceedings + Fines Claim expenses in connection with a regulatory inquiry, investigation or proceeding Privacy regulation civil fines and consumer redress fund PCI DSS fines and assessments Technology E&O/Miscellaneous E&O Claim expenses and damages emanating from a wrongful act in the performance of or failure to perform technology services or other professional services. Claim expenses and damages emanating from your technology products’ failure to perform or serve the purpose intended Data Breach Expense Reimbursement Expense reimbursement for third-party reasonable and necessary costs including: Public relations costs Legal and forensics expenses Credit protection, mailing and tracking, call center, etc. Address three scenarios—mandatory, contractual and voluntary Cyber Extortion Reasonable and necessary expenses and any funds paid in connection with an extortion attempt Network Business Interruption + Data Restoration and Reputation Harm Loss of net income and Extra Expense

17 What Does Cyber Insurance Not Cover?
Intellectual property assets Theft of one’s own corporate intellectual property (IP) still remains uninsurable today as insurers struggle to understand its intrinsic loss value once compromised. Cyber Attack Exclusion Clause Where this clause is endorsed on policies covering risks of war, civil war, revolution, rebellion, insurrection, or civil strife arising therefrom, or any hostile act by or against a belligerent power, or terrorism or any person acting from a political motive.

18 Leveraging Cyber Insurance as a Risk Management Tool
Since 2009, the marketplace has evolved to also provide services to help buyers manage risk. Focused mainly on post-event response, turnkey products have emerged, which provide a panel of legal, forensics, and public relations specialists. Popular with smaller enterprises that lack the resources or relationships, this innovation has been a key component in increasing the relevance of cyber insurance and consequently its growth. Larger firms typically seek products based on breadth of coverage and the flexibility to use their own vendor network. Services that help mitigate risk before an event occurs have started to emerge. Insurers likely will begin to incentivize buyers to adopt these services with rewards such as discounted premiums.

19 How Do Insurers Underwrite Cyber Risks?
Historically, underwriters have sought to understand the controls that enterprises leverage around their people, processes, and technology. However, the majority of assessments are “static,” meaning a snapshot at a certain point in time through the completion of a written questionnaire, a phone call interview, or a presentation. A consensus is growing that this approach is increasingly redundant and that insurers will seek to partner with the security industry to use tools that can help predict and monitor the threat as part of the underwriting process to adopt a more threat-intelligence-led capability as part of the underwriting process. In fact, this already has started to happen, as certain insurers have started to use technology to underwrite vendor and M&A activity risks.

20 How Do Insurers Price Risk?
Pricing Cybersecurity risk remains a challenge. An insurance market that is only 15 years old has begun to build up a profile for frequency and severity of loss with regard to PII and PHI assets. However, the ever-evolving nature of the threat, particularly the emergence of APTs, undermines the reliability of these statistics. Pricing risk for physical assets is a bigger problem because this has begun to emerge only since 2010, and actuarial data are extremely thin on the ground. Fundamentally, insurers continue to look for a strong security culture within the firm as a first step in risk triage. Additional factors such as industry, revenue size, and actual assets at risk also contribute to how risk is priced.

21

Download ppt "Cyber Insurance: Increasingly Relevant in 2018—Why?"

Similar presentations

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.
Insurance in the Cloud Ben Hunter, Canadian Underwriting Specialist Technology Insurance Specialty Chubb Insurance Company of Canada.

Insurance in the Cloud Ben Hunter, Canadian Underwriting Specialist Technology Insurance Specialty Chubb Insurance Company of Canada.
Presented at: Ctuit Software and Lathrop & Gage LLP Food & Hospitality Roundtable San Francisco, CA April 29, 2013 Presented by: Leib Dodell, Esq.

Presented at: Ctuit Software and Lathrop & Gage LLP Food & Hospitality Roundtable San Francisco, CA April 29, 2013 Presented by: Leib Dodell, Esq.
Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.

Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
Cyber Insurance Today: Lots of Interest, Lots of Product Innovation, and Lots of Risk Richard S. Betterley, CMC Betterley Risk Consultants, Inc. Sterling,

Cyber Insurance Today: Lots of Interest, Lots of Product Innovation, and Lots of Risk Richard S. Betterley, CMC Betterley Risk Consultants, Inc. Sterling,
Lecture No. 3 Insurance and Risk.

Lecture No. 3 Insurance and Risk.
Lockton Companies International Limited. Authorised and regulated by the Financial Services Authority. A Lloyd’s Broker. Protecting Your Business from.

Lockton Companies International Limited. Authorised and regulated by the Financial Services Authority. A Lloyd’s Broker. Protecting Your Business from.
Financial Institutions – Cyber Risk Managing Cyber Risks In An Interconnected World State Compensation Insurance Fund Audit Committee Meeting – February.

Financial Institutions – Cyber Risk Managing Cyber Risks In An Interconnected World State Compensation Insurance Fund Audit Committee Meeting – February.
M&A & Insurance Mergers & Acquisitions Capabilities Presentation RIMS Fairfield/Westchester Chapter May 14 th, 2013.

M&A & Insurance Mergers & Acquisitions Capabilities Presentation RIMS Fairfield/Westchester Chapter May 14 th, 2013.
Cyber Risk Enhancement Coverage. Cyber security breaches are now a painful reality for virtually every type of organization and at every level of those.

Cyber Risk Enhancement Coverage. Cyber security breaches are now a painful reality for virtually every type of organization and at every level of those.
Overview of Cybercrime

Overview of Cybercrime
WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter Meeting Thursday, July 25, 2013 11:30 am – 12:30 pm.

WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter Meeting Thursday, July 25, :30 am – 12:30 pm.
AUGUST 25, 2015 Cyber Insurance:

AUGUST 25, 2015 Cyber Insurance:
© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® CISO Executive Network Executive Breakfast.

© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® CISO Executive Network Executive Breakfast.
Chapter 2 Insurance and Risk

Chapter 2 Insurance and Risk
Copyright © 2011 Pearson Education. All Rights Reserved. Chapter 2 The Insurance Mechanism.

Copyright © 2011 Pearson Education. All Rights Reserved. Chapter 2 The Insurance Mechanism.
Insurance of the risk Policy covers & underwriting issues Stephen Ridley, Senior Development Underwriter.

Insurance of the risk Policy covers & underwriting issues Stephen Ridley, Senior Development Underwriter.
Matt Foushee University of Tulsa Tulsa, Oklahoma Cyber Insurance Matt Foushee University of Tulsa Tulsa, Oklahoma.

Matt Foushee University of Tulsa Tulsa, Oklahoma Cyber Insurance Matt Foushee University of Tulsa Tulsa, Oklahoma.
Cyber-insurance coverage: do you have it? Robert E. Sumner, IV, Esq. and Tosh Siao of Willis Group September 17, 2015.

Cyber-insurance coverage: do you have it? Robert E. Sumner, IV, Esq. and Tosh Siao of Willis Group September 17, 2015.

Similar presentations

Ads by Google