FROM CYBER RISKS TO CYBER INSURANCE - Munich Re

FROM CYBER RISKS

TO CYBER INSURANCE

LIMA Programme

2020

“Our lives have become digital in

many aspects: at home, with friends,

at work or school. Even now amid

COVID, we keep digitalising. All this

doesn’t come without risk. The

availability of data and systems has

become a crucial element.”

Wolfgang Boffo

Senior Cyber Underwriter

Munich Re

1 September 2020

Wolfgang Boffo

From Cyber Risk to Cyber Insurance

Not if, but when

51 September 2020Wolfgang Boffo - LIMA Webinar - From Cyber Risk to Cyber Insurance

Agenda Slide

1. Cyber Risk – Its Potential and Market Size

2. Munich Re – Cyber Risk Insurance Offering

3. What Else to Know?

iStock-840166882

Cyber Risk

Its Potential and Market Size 1

As a warm-up

What are Cyber Risks?

1 September 2020 7Wolfgang Boffo - LIMA Webinar - From Cyber Risk to Cyber Insurance

“Risks arising from the storage,

usage, computation, and/ or

transmission of electronic data.

Such cyber risks may be

malicious, for example caused by

individual hackers or inadvertently,

caused by a coding error.”

The increasing use of new

technologies, self-learning machines,

cloud computing, digital ecosystems,

new communication standards like

5G and our dependence on smart

devices are all parts of the global

digital transformation.

Cyber Risks arise

from Cyber Perils

Who can be affected?

Own photograph

Keep warming-up

Have a look at this!


2007

DDoS on Estonian

govt. sites

2011

Sony PSN

data breach

2013

Yahoo!

(3bn records)2014

Sony Picture

hack

2017

WannaCry

2016

Yahoo

(500m records)

2017

NotPetya (USD 10bn)

2012

Dropbox

(68m records)

2014

eBay

(145m records)

2016

LinkedIn (112m records)

2016

Bank of Bangladesh attack

(estimated USD 81m stolen)

2017

Uber (57m records)

2009

DDoS attack on govt./financial

websites in South Korea

2010

Stuxnet

2011

RSA SecurID infiltration

2015

Anthem

(80m records)

2015

US federal

(21m records)

2019

GDPR Fines

British Airways USD 229m

Marriott USD 123m

Capital One USD 80m

(106m records)

2019

NorskHydro (USD 75m)

2018

TSMC (USD 175m)

2018

British Airways (380k transactions)

2018

Facebook (87m records)

2018

Marriott

(350m records)

2005 2020

2020

Cognizant (USD 400m)

Is (Southern) Africa close to such Cyber Risk action?

You bet you are!


What is the good news now?

We write Cyber Risks!


First of all, insured is hit by a Cyber Event

Cyber risk-related financial loss due to

loss or non-availability of own and third

party data causing business interruption,

third party liability, restoration cost, legal &

notification cost, reputational loss, network

& media liability, extortion etc. is covered.

At the same time, insured needs hands-on help!

Suddenly he has a problem he cannot solve

himself and he also doesn’t know where to

find help.

This is particularly relevant for the general

public and SMEs alike as they don’t have an

IT security department like larger corporates.

Why is our Cyber Insurance doing

the trick?

▪ In addition to an Insurance Policy, it entails, like road-side assistance, Post-Incident Services.

▪ It is a comprehensive solution beyond a traditional insurance product – but, it comes at a price.

Let’s take a step back!

Is there already a market in Cyber Risk Insurance?


▪ For 2020, Munich Re estimates

that the global cyber insurance market is

worth over USD 7bn.

▪ North America remains the strongest

market with a value of USD 5.3bn.

▪ Munich Re anticipates strong

growth in Asia and Europe.

▪ The value of the European cyber market

in 2020 is estimated at

more than USD 1bn.

So what’s left for Africa? At least >500,000 SMEs and ~50m people only in South Africa.

How mature are various markets?

Let’s compare two examples!


Germany USA

Rank IMD Digital Competitiveness* #17 #1

Cyber Breach related regulation

Level of Litigation

Existing Cyber insurance solutions

Awareness amongst SME

Maturity of Cyber Insurance Market

Size 2020 m USD GWP 183 5.200

Share PL/ SME/ large corporate (%) 10/ 55/ 35 5/ 35/ 60

Share First Party/ Third Party (%) 70/ 30 40/ 60

Top 3 OccupanciesManufacturing, FI,

others

Retail,

Healthcare, FI

*) based on 2019 IMD World Digital Competitiveness Ranking

US Cyber market got going because of

▪ Nation wide known events

▪ High cost given tough legislation

▪ Senior executives loosing their jobs

▪ D&O insurers claiming Cyber ‘must-have’

Which factor will determine the future growth

of early stage markets like ZA?

What’s the impact of data protection legislation

like POPI Act going to be?

iStock-918855102

Munich Re

Cyber Risk Insurance Offering 2

Munich Re Cyber Risk Strategy

Coverage for Commercial and Personal Lines


Primary

InsuranceBespoke and transactional

Traditional

ReinsuranceFocus on proportional participations

Munich Re as a Risk Taker Comprehensive Service Model powered by Munich Re

Cyber Risk

Insurance

Claims

Response

Services

Risk

AssessmentWording

Pricing

support

Accumulation

Control

What can be covered under Personal Lines Cyber?

We offer various modules for flexible, but adequate cover


Theft of fundsReimbursement of funds lost due to a

cyber incident, hacking of your bank

accounts, payment cards or mobile

wallets

Identity protectionReimbursement of costs resulting

from an identity theft

Data restorationReimbursement of costs to restore

data and software after a cyber

incident

Cyber bullying/ stalkingReimbursement for costs resulting from cyber

bullying or stalking

!!! Cyber extortionReimbursement of ransom payments

where legally permissible

Online sales & shoppingReimbursement of funds lost due online

sales & shopping fraud

Media liabilityReimbursement of costs arising from third party

claim for defamation, breach of copyright or

interference of privacy rights resulting from your

online activities

Network security liabilityReimbursement of costs arising from a third

party claim for a cyber incident on your

computer systems that you failed to prevent

Privacy breach & data breachReimbursement of costs arising out of a 1st or 3rd

party data breach

Smartphone coverReimbursements of costs to restore your data

and software after a cyber incident on your

smartphone

▪ Lower limits

▪ Lower premiums

▪ How to get a reasonably sized

portfolio of insureds going?

What can be covered under Commercial Lines Cyber?

All industry specific needs can be met


Incident & Breach Response▪ Expert to investigate and support you

▪ In-house crisis management center operation

▪ Lawyer to comply with applicable regulatory

authorities

▪ Expert for reputational protection

Restoration▪ Expert to restore the data and software

Business Interruption▪ Waiting period 12hrs to 24hrs

▪ Loss of gross profit and increased cost

of working

Cyber Extortion▪ Expert to investigate and support you

▪ Support to pay ransom amount

Cyber Crime▪ Forensic experts attempts to retrieve

funds in collaboration with your bank

▪ The amount illegally taken from you

PCI-DSS ▪ Cost for PCI Forensic Investigator to

investigate

▪ PCI-DSS recertification

▪ If applicable, reissuing any credit, debit

or pre-funded cards

Confidentiality & Privacy

Liability ▪ Customer notification costs

▪ Legal defence costs

▪ Sums which you are legally liable (potentially

including fines from authorities)

Network Security Liability ▪ Legal defence costs

▪ Sums which you are legally liable

▪ Expert for reputational protection

▪ Expert to investigate and support you

Media Liability▪ Legal defence cost

▪ Sums which you are legally liable

FIRST PARTY COVER THIRD PARTY CLAIMS

How is the risk assessment and pricing being done?

We use our own methodology


Risk/

Exposure

Complexity/

Size of InsuredMethod of individual risk assessment must

▪ account for industry specific exposure

▪ fit to size of organization and its global footprint

▪ consider legislation and jurisdiction

▪ depend on incident history

In addition, pricing to be paired with assessment results with

▪ requested limit structure

▪ cover elements asked for

▪ given loss history for industry segment and/ or region

▪ additional statistics a leading cyber reinsurer has

If we cannot assess it or price it, we won’t write it.

A few risks will vastly accumulate, hence we either put up a

sublimit or an exclusion.

Self assessment

through insured

On-site „visits“

& interviews

Underwriter

call/ market

meeting

Questionnaires as a basis

(micro – small – medium – large)

And then it hit the insured …

What to do in a Cyber Risk Event?


Cyber Incident Supportpowered by Munich Re

Cyber incident is

detected

!

Insured is back to

business. Expenses

will be covered.

Immediately call the

cyber emergency

support hotline

Incident response

manager provides

immediate first-aid

Our forensic experts

support you to recover

your system

Why Munich Re?

We have been awarded Cyber Reinsurer of the year 4 times in a row


Our people

▪ > 120 dedicated colleagues working worldwide on delivering

Cyber solutions to clients and managing exposure

▪ > 20 dedicated Cyber risk experts with Cyber security track

record to provide best in class risk assessments

▪ Worldwide leverage of resources to bring right knowledge to you

Our experience

▪ > 20 years of experience (Think Y2K!)

▪ Global leadership with > USD 500m premium

and > 10% market share

▪ Most extensive loss statistics and exposure data set

Our approach

▪ Building long term partnerships, but with commitments from

both sides

▪ Solutions based on client needs and co-creation

▪ One step ahead of the curve

iStock-479446229

What Else to Know?

3

It often sounded like either Property or Casualty Insurance

Why would I need a Cyber Insurance in addition?


CYBER

AS PERIL

CYBER

AS PERIL

Property Cyber

Property Damage/ Physical Damage

Business Interruption

CBI

Data Valuation Clause

General Liability

Product Liability

E&O/ PI

D&O

Crime

Data

restoration

PD caused by

cyber incident

Non-physical

damage BI

Data

recreation Cyber

crime

PD/ Bodily Injury

cyber incident

Media

liability

Cyber

Extortion

Network security

liability

Privacy/

Confidentiality

breach

Casualty

Silent Cyber Risk must be made affirmative to ensure Cyber Risks are priced adequately

Potential silent cyber scenarios in Property & Casualty

It is of utmost importance to be clear about scope of coverage


Key Points:

▪ “Hacked fire” scenario

▪ Threat of specifically targeted attacks on industrial

control systems (ICS)

▪ Risk of attack on multiple plants by targeting ICS

▪ “Key insured interest”: PD + BI

Image: Shulz / Getty Images / iStockphoto

Cyber attack

on industrial plant (ICS)

Examples:▪ UAE solar power plant (2011)

▪ Triton (2017)

▪ University of Cambridge: Cyber-Induced Explosion in a

Chemical Facility Scenario

Key Points:

▪ Accident/ explosion affecting surrounding property and

third parties

▪ Covered loss: Bodily Injury, Third Party Property

Damage (TPPD)

▪ Concerned class of business: General Liability, Workers

Comp, Employer’s Liability, Environmental Liability, D&O

Image: Shulz / Getty Images / iStockphoto

Examples:▪ Cyber attack on water utility control system (2016)

▪ Steel mill (Germany, 2014)

▪ Stuxnet attack on industrial facility (Iran, 2010)

Cyber attack

on industrial plant (ICS)

Cannot close this presentation without Covid-19

Necessity, potential and complexity of cyber insurance becomes eminent


▪ Increase in frequency and severity of

malicious attacks

▪ Increase on frequency in cyber-crime

losses

▪ Higher level of Cyber Risk awareness

▪ Enforcement of selective hardening

caused by Ransomware losses in

combination with the effects of Covid-19

▪ Less budget available to purchase

insurance – and to invest into IT security

Changed exposure due to shift

to home offices

Covid-19 used in the context of

phishing attacks

Whereas we have not yet seen increased losses, we see momentum to position Cyber with clients

What’s happening? Potential implications on Cyber insurance

Digitization-push (cash less online

shopping & communication; etc.)

Economic impact/ global

recession

Not if, but when – this will be true in both regards:

Getting the Cyber market going, but also getting hit by an attack


>TxsVeryMuch4yOURAttention!

Documents

FROM CYBER RISKS TO CYBER INSURANCE - Munich Re