© Z/Yen Group

2015

Z/Yen Group Limited

90 Basinghall Street

London EC2V 5AY

United Kingdom

tel: +44 (20) 7562-9562

“When would we know our financial system is working?”

Report Launch

Promoting UK Cyber Prosperity:

Public-Private Cyber-Catastrophe

Reinsurance

28 July 2015, City Centre, London

09:30 to 11:00

© Z/Yen Group

2015

♦ Welcome – Commissioner Adrian Leppard (City

of London Police)

♦ Presentation of findings – Professor Michael

Mainelli (Z/Yen Group)

♦ Response – Martin Huddleston (Dstl)

♦ Panel discussion – Tom Bolt (Lloyd’s), Martin

Huddleston (Dstl), Commissioner Adrian Leppard

(COLP), chaired by Hugh Morris (Tori)

♦ Concluding remarks – Professor Michael

Mainelli (Z/Yen Group)

Agenda

© Z/Yen Group

2015

Commissioner Adrian Leppard

City of London Police

Welcome

© Z/Yen Group

2015

Professor Michael Mainelli

Executive Chairman, Z/Yen

Presentation of Findings

© Z/Yen Group

2015

♦ Cyber-risk

♦ What would a cyber-catastrophe look like?

♦ Cyber insurance and reinsurance

♦ Towards a public-private cyber-

catastrophe reinsurance scheme

♦ Recommendations

Outline

© Z/Yen Group

2015

♦ Objectives:

understand how cyber-catastrophe reinsurance might

help mitigate general cyber-risk

establish some evidence of the appetite for such

reinsurance

examine how the insurance industry and UK

government might create a cyber-catastrophe

reinsurance scheme without government subsidy

♦ Approach: interviews (>80), webinar, CSFI round-

table, desk research

♦ Team: Chiara von Gunten (Project Manager), Mark

Duff (Insurance Industry Expert), Michael Mainelli

(Project Director)

About the Research

© Z/Yen Group

2015

♦ Dynamic, possibly systemic

♦ Borderless

♦ Difficult to trace

♦ Detection time lag

♦ Under reporting of attacks

♦ Difficult to model

♦ Rising severity and frequency of attacks

♦ Catastrophic cyber event – when? not if

Cyber-Risk

Cyber attacks are 10th in top 10 global risks

in terms of perceived likelihood

[WEF Global Risk Landscape 2015 ]

© Z/Yen Group

2015

♦ Investigation, response & remediation costs

♦ Physical damage to people or assets*

♦ Business disruption/interruption*

♦ Third party liabilities (e.g. customers,

employees, shareholders’ actions) and

regulatory actions*

♦ Data/software deletion/destruction

♦ Theft of IP

♦ Reputational loss

Possible Damage

© Z/Yen Group

2015

What’s the Evidence?

Estonia

(2007 to 2008)

Myanmar

(2010)

Stuxnet (Iran)

(ca. 2008 to

2010)

Sony Pictures

Entertainment

– data and

product theft

(2014)

Steel Plant -

Germany 2014)

State-

sponsored

cyber-

espionage –

USA (ca. 2006

to 2014)

Type of cyber

attack

Distributed

Denial of

Service (DDoS)

DDoS Cyber worm Spear-phishing Spear-phishing

Duration < 1 month 1 to 2 months > 2 to 3 years 1 to 3 months - Ca. 8 years

Detection Immediate Immediate One or two

years later

One or two

months later

- Months or years

later

Terminology

used to

describe it

Cyber warfare - The first cyber

weapon

Cyber

vandalism

Advance-

persistent threat

attack

Cyber

espionage

Page 13 in the report

© Z/Yen Group

2015

Framework for Cyber Threats

[Source: CCRS, 2014]

© Z/Yen Group

2015

Cyber-Catastrophe?

© Z/Yen Group

2015

♦ Hypothetically, many possible cyber-catastrophes -

water contamination, power grid disruption,

securities markets shutdown, cloud disruption, …

♦ Systematically Important Technology Enterprises

(SITEs) attack - “software systems of individual

technology companies underpinning a large

proportion of the cyber economy” (CCRS, 2014)

♦ Cyber-catastrophe – tentative definition – “a cyber

event causing damage at scale to the point that

resulting losses exceed insurers’ capacity and

could potentially threaten a country’s security and

economy”

What Constitutes Cyber-Catastrophe?

© Z/Yen Group

2015

Catastrophic losses

Estimated insured losses resulting from recent catastrophic events

[Source: adapted from RAND, 2004; Swiss Re, 2014; Lloyd’s & CCRS, 2015]

Page 15 in the report

© Z/Yen Group

2015

Current State Of Cover

[Source: Willis, 2014: 6 ]

© Z/Yen Group

2015

♦ Cyber insurance = new class of business

Standalone cyber insurance developing to fill the gap

where standard policies do not cover cyber-risk

Coverage depends on policies’ wording and definition of

event – mostly 1st party loss coverage

Cautious underwriting approach – net lines, relatively high

deductibles, low limits, high premiums

♦ Size of the market – estimates vary but

USA: US$ 2 billion to US$ 2.5 billion GWP in 2014

Europe: US$ 150 million to US$ 200 million GWP in 2013

Market penetration low and uneven: circa 30% major

companies in US versus 5% in Europe; UK 2% for large

organisations, close to 0% for SMEs.

Cyber Insurance

© Z/Yen Group

2015

CL380 – Cyber Attack Exclusion Clause

[Reference: Institute Cyber Attack Exclusion Clause 10/11/2003]

1.1 Subject only to Clause 1.2 below, in no case shall this

insurance cover loss damage liability or expense directly caused

by or contributed to by or arising from the use or operation, as a

means for inflicting harm, of any computer, computer system,

computer software programme, malicious code, computer virus or

process or any electronic system.

1.2 Where this Clause is endorsed on policies covering risks of

war, civil war, revolution, rebellion, insurrection, or civil strife

arising therefrom, or any hostile act by or against a belligerent

power, or terrorism or any person acting from a political motive,

Clause 1.1. Shall not operate to exclude losses (which would

otherwise be covered) arising from the use of any computer,

computer system computer software programme, or any

electronic system in the launch and/or guidance system and/or

firing mechanism of any weapon or missile.

Page 19 in the report

© Z/Yen Group

2015

Effort

Scope

1. Information

sharing for

internal funds

4. UK company or

Lloyd’s syndicate

3. Captive

insurance

company or PCC 2. “Badged”

insurance

7. Capital

markets

solutions

6. Industry

mutual 5. Trade

mutual

Options – A Financial View

Cyber Reinsurance

© Z/Yen Group

2015

♦ Lack of understanding of cyber-risks & events &

interconnectivity

♦ Uncertainty around coverage - wordings and

exclusions

♦ Lack of actuarial data

♦ Pricing objectivity and information asymmetries

♦ Lack of product consistency leads to lack of trust

in insurers’ paying claims

♦ Aggregation risk catastrophe models –

exacerbated by interdependence of cyber risks

♦ Lack of adequate regulatory capital &

reinsurance capacity

Mind The Gap!

© Z/Yen Group

2015

♦ Insurance is part of the toolkit to manager cyber-

risk exposure

♦ Market opportunity, e.g. EU data protection

♦ Opportunities to support insurance development

and take up through

better disclosure of cyber-risks and events

adoption of standards for cyber security and resilience

e.g. NIST (US), Cyber Essentials (UK), ISO 27000,

CESG’s 10 steps

better understanding of exposure to cyber risk among

large organisations in sectors of national importance

CBEST Vulnerability Testing Framework

PRA’s General Insurance Stress Test 2015

Opportunities

© Z/Yen Group

2015

Government Risk Finance

Page 29 in the report

© Z/Yen Group

2015

♦ Pool funded by insurance industry, seeking its

own reinsurance

new public-private reinsurance scheme or extending

remit of existing one, e.g. Pool Re

♦ Would cover losses resulting from a cyber-event

beyond a pre-determined excess point

excess point to be agreed jointly by government and

industry

♦ Government role

promotion

last resort insurer only in the event that industry

retentions and pool reserves have been exhausted

How Might A Cyber Re Work?

© Z/Yen Group

2015

♦ Making insurance work as a whole - shared

learning & best practice, clarity and certainty in the

insurance market

♦ Supporting UK prosperity

resilience

imports and exports

♦ Such a scheme would involve:

agreement on standard cyber cover and wording

removing exclusions from standard policies

expanding coverage to include business interruption,

property damage and bodily injury

more ‘objective’ pricing of premiums

Expected Benefits

© Z/Yen Group

2015

♦ Discussions on the scheme should start now rather

than after a cyber-catastrophe occurs

♦ Scheme should provide standardised wordings and

data collection

♦ Scheme should promote the use and evolution

through learning of ICT security and risk

management standards

♦ Regulators to encourage membership of the scheme

by insurers providing cyber cover

♦ Government to encourage insurance for essential

services and critical national infrastructure

♦ Members should seek group reinsurance, explore

ILS

Recommendations

© Z/Yen Group

2015

Martin Huddleston

Principal Cyber Solutions Architect, Dstl

Response

© Z/Yen Group

2015

Tom Bolt

Director, Performance Management, Lloyd’s

Martin Huddleston

Principal Cyber Solutions Architect, Dstl

Adrian Leppard

Commissioner, City of London Police

Hugh Morris (chair)

Director, Tori Global

Panel Discussion

© Z/Yen Group

2015

Concluding Remarks

Professor Michael Mainelli

Executive Chairman, Z/Yen

© Z/Yen Group

2015

“Cyberspace: Security and Democracy”

Monday, 18 January 2016,14:00 pm

Gresham College, Barnard’s Inn Hall, London EC1N 2HH

Conference with:

♦ Professor Tim Connell

♦ Commissioner Adrian Leppard (City of London Police)

♦ Sir John O’Reilly

♦ Professor Michael Mainelli (Z/Yen & Long Finance)

Free registration: http://www.gresham.ac.uk/lectures-and-

events/cyberspace-security-and-democracy

Future Event

© Z/Yen Group

2015

More Information

♦ Report available on

Long Finance and Z/Yen

websites

♦ Slides on event page

♦ Comments on the report

welcome! Contact

Chiara (chiara_vongunten@zyen.com)

THANK YOU!

© Z/Yen Group

2015

Thanks to our Sponsors!

Report sponsor

http://apmg-cyber.com/

Event sponsor

www.toriglobal.com