Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
© Z/Yen Group
2015
Z/Yen Group Limited
90 Basinghall Street
London EC2V 5AY
United Kingdom
tel: +44 (20) 7562-9562
“When would we know our financial system is working?”
Report Launch
Promoting UK Cyber Prosperity:
Public-Private Cyber-Catastrophe
Reinsurance
28 July 2015, City Centre, London
09:30 to 11:00
© Z/Yen Group
2015
♦ Welcome – Commissioner Adrian Leppard (City
of London Police)
♦ Presentation of findings – Professor Michael
Mainelli (Z/Yen Group)
♦ Response – Martin Huddleston (Dstl)
♦ Panel discussion – Tom Bolt (Lloyd’s), Martin
Huddleston (Dstl), Commissioner Adrian Leppard
(COLP), chaired by Hugh Morris (Tori)
♦ Concluding remarks – Professor Michael
Mainelli (Z/Yen Group)
Agenda
© Z/Yen Group
2015
Commissioner Adrian Leppard
City of London Police
Welcome
© Z/Yen Group
2015
Professor Michael Mainelli
Executive Chairman, Z/Yen
Presentation of Findings
© Z/Yen Group
2015
♦ Cyber-risk
♦ What would a cyber-catastrophe look like?
♦ Cyber insurance and reinsurance
♦ Towards a public-private cyber-
catastrophe reinsurance scheme
♦ Recommendations
Outline
© Z/Yen Group
2015
♦ Objectives:
understand how cyber-catastrophe reinsurance might
help mitigate general cyber-risk
establish some evidence of the appetite for such
reinsurance
examine how the insurance industry and UK
government might create a cyber-catastrophe
reinsurance scheme without government subsidy
♦ Approach: interviews (>80), webinar, CSFI round-
table, desk research
♦ Team: Chiara von Gunten (Project Manager), Mark
Duff (Insurance Industry Expert), Michael Mainelli
(Project Director)
About the Research
© Z/Yen Group
2015
♦ Dynamic, possibly systemic
♦ Borderless
♦ Difficult to trace
♦ Detection time lag
♦ Under reporting of attacks
♦ Difficult to model
♦ Rising severity and frequency of attacks
♦ Catastrophic cyber event – when? not if
Cyber-Risk
Cyber attacks are 10th in top 10 global risks
in terms of perceived likelihood
[WEF Global Risk Landscape 2015 ]
© Z/Yen Group
2015
♦ Investigation, response & remediation costs
♦ Physical damage to people or assets*
♦ Business disruption/interruption*
♦ Third party liabilities (e.g. customers,
employees, shareholders’ actions) and
regulatory actions*
♦ Data/software deletion/destruction
♦ Theft of IP
♦ Reputational loss
Possible Damage
© Z/Yen Group
2015
What’s the Evidence?
Estonia
(2007 to 2008)
Myanmar
(2010)
Stuxnet (Iran)
(ca. 2008 to
2010)
Sony Pictures
Entertainment
– data and
product theft
(2014)
Steel Plant -
Germany 2014)
State-
sponsored
cyber-
espionage –
USA (ca. 2006
to 2014)
Type of cyber
attack
Distributed
Denial of
Service (DDoS)
DDoS Cyber worm Spear-phishing Spear-phishing
Duration < 1 month 1 to 2 months > 2 to 3 years 1 to 3 months - Ca. 8 years
Detection Immediate Immediate One or two
years later
One or two
months later
- Months or years
later
Terminology
used to
describe it
Cyber warfare - The first cyber
weapon
Cyber
vandalism
Advance-
persistent threat
attack
Cyber
espionage
Page 13 in the report
© Z/Yen Group
2015
Framework for Cyber Threats
[Source: CCRS, 2014]
© Z/Yen Group
2015
Cyber-Catastrophe?
© Z/Yen Group
2015
♦ Hypothetically, many possible cyber-catastrophes -
water contamination, power grid disruption,
securities markets shutdown, cloud disruption, …
♦ Systematically Important Technology Enterprises
(SITEs) attack - “software systems of individual
technology companies underpinning a large
proportion of the cyber economy” (CCRS, 2014)
♦ Cyber-catastrophe – tentative definition – “a cyber
event causing damage at scale to the point that
resulting losses exceed insurers’ capacity and
could potentially threaten a country’s security and
economy”
What Constitutes Cyber-Catastrophe?
© Z/Yen Group
2015
Catastrophic losses
Estimated insured losses resulting from recent catastrophic events
[Source: adapted from RAND, 2004; Swiss Re, 2014; Lloyd’s & CCRS, 2015]
Page 15 in the report
© Z/Yen Group
2015
Current State Of Cover
[Source: Willis, 2014: 6 ]
© Z/Yen Group
2015
♦ Cyber insurance = new class of business
Standalone cyber insurance developing to fill the gap
where standard policies do not cover cyber-risk
Coverage depends on policies’ wording and definition of
event – mostly 1st party loss coverage
Cautious underwriting approach – net lines, relatively high
deductibles, low limits, high premiums
♦ Size of the market – estimates vary but
USA: US$ 2 billion to US$ 2.5 billion GWP in 2014
Europe: US$ 150 million to US$ 200 million GWP in 2013
Market penetration low and uneven: circa 30% major
companies in US versus 5% in Europe; UK 2% for large
organisations, close to 0% for SMEs.
Cyber Insurance
© Z/Yen Group
2015
CL380 – Cyber Attack Exclusion Clause
[Reference: Institute Cyber Attack Exclusion Clause 10/11/2003]
1.1 Subject only to Clause 1.2 below, in no case shall this
insurance cover loss damage liability or expense directly caused
by or contributed to by or arising from the use or operation, as a
means for inflicting harm, of any computer, computer system,
computer software programme, malicious code, computer virus or
process or any electronic system.
1.2 Where this Clause is endorsed on policies covering risks of
war, civil war, revolution, rebellion, insurrection, or civil strife
arising therefrom, or any hostile act by or against a belligerent
power, or terrorism or any person acting from a political motive,
Clause 1.1. Shall not operate to exclude losses (which would
otherwise be covered) arising from the use of any computer,
computer system computer software programme, or any
electronic system in the launch and/or guidance system and/or
firing mechanism of any weapon or missile.
Page 19 in the report
© Z/Yen Group
2015
Effort
Scope
1. Information
sharing for
internal funds
4. UK company or
Lloyd’s syndicate
3. Captive
insurance
company or PCC 2. “Badged”
insurance
7. Capital
markets
solutions
6. Industry
mutual 5. Trade
mutual
Options – A Financial View
Cyber Reinsurance
© Z/Yen Group
2015
♦ Lack of understanding of cyber-risks & events &
interconnectivity
♦ Uncertainty around coverage - wordings and
exclusions
♦ Lack of actuarial data
♦ Pricing objectivity and information asymmetries
♦ Lack of product consistency leads to lack of trust
in insurers’ paying claims
♦ Aggregation risk catastrophe models –
exacerbated by interdependence of cyber risks
♦ Lack of adequate regulatory capital &
reinsurance capacity
Mind The Gap!
© Z/Yen Group
2015
♦ Insurance is part of the toolkit to manager cyber-
risk exposure
♦ Market opportunity, e.g. EU data protection
♦ Opportunities to support insurance development
and take up through
better disclosure of cyber-risks and events
adoption of standards for cyber security and resilience
e.g. NIST (US), Cyber Essentials (UK), ISO 27000,
CESG’s 10 steps
better understanding of exposure to cyber risk among
large organisations in sectors of national importance
CBEST Vulnerability Testing Framework
PRA’s General Insurance Stress Test 2015
Opportunities
© Z/Yen Group
2015
Government Risk Finance
Page 29 in the report
© Z/Yen Group
2015
♦ Pool funded by insurance industry, seeking its
own reinsurance
new public-private reinsurance scheme or extending
remit of existing one, e.g. Pool Re
♦ Would cover losses resulting from a cyber-event
beyond a pre-determined excess point
excess point to be agreed jointly by government and
industry
♦ Government role
promotion
last resort insurer only in the event that industry
retentions and pool reserves have been exhausted
How Might A Cyber Re Work?
© Z/Yen Group
2015
♦ Making insurance work as a whole - shared
learning & best practice, clarity and certainty in the
insurance market
♦ Supporting UK prosperity
resilience
imports and exports
♦ Such a scheme would involve:
agreement on standard cyber cover and wording
removing exclusions from standard policies
expanding coverage to include business interruption,
property damage and bodily injury
more ‘objective’ pricing of premiums
Expected Benefits
© Z/Yen Group
2015
♦ Discussions on the scheme should start now rather
than after a cyber-catastrophe occurs
♦ Scheme should provide standardised wordings and
data collection
♦ Scheme should promote the use and evolution
through learning of ICT security and risk
management standards
♦ Regulators to encourage membership of the scheme
by insurers providing cyber cover
♦ Government to encourage insurance for essential
services and critical national infrastructure
♦ Members should seek group reinsurance, explore
ILS
Recommendations
© Z/Yen Group
2015
Martin Huddleston
Principal Cyber Solutions Architect, Dstl
Response
© Z/Yen Group
2015
Tom Bolt
Director, Performance Management, Lloyd’s
Martin Huddleston
Principal Cyber Solutions Architect, Dstl
Adrian Leppard
Commissioner, City of London Police
Hugh Morris (chair)
Director, Tori Global
Panel Discussion
© Z/Yen Group
2015
Concluding Remarks
Professor Michael Mainelli
Executive Chairman, Z/Yen
© Z/Yen Group
2015
“Cyberspace: Security and Democracy”
Monday, 18 January 2016,14:00 pm
Gresham College, Barnard’s Inn Hall, London EC1N 2HH
Conference with:
♦ Professor Tim Connell
♦ Commissioner Adrian Leppard (City of London Police)
♦ Sir John O’Reilly
♦ Professor Michael Mainelli (Z/Yen & Long Finance)
Free registration: http://www.gresham.ac.uk/lectures-and-
events/cyberspace-security-and-democracy
Future Event
© Z/Yen Group
2015
More Information
♦ Report available on
Long Finance and Z/Yen
websites
♦ Slides on event page
♦ Comments on the report
welcome! Contact
Chiara ([email protected])
THANK YOU!
© Z/Yen Group
2015
Thanks to our Sponsors!
Report sponsor
http://apmg-cyber.com/
Event sponsor
www.toriglobal.com