FROM CYBER RISKS
TO CYBER INSURANCE
LIMA Programme
2020
“Our lives have become digital in
many aspects: at home, with friends,
at work or school. Even now amid
COVID, we keep digitalising. All this
doesn’t come without risk. The
availability of data and systems has
become a crucial element.”
Wolfgang Boffo
Senior Cyber Underwriter
Munich Re
1 September 2020
Wolfgang Boffo
From Cyber Risk to Cyber Insurance
Not if, but when
51 September 2020Wolfgang Boffo - LIMA Webinar - From Cyber Risk to Cyber Insurance
Agenda Slide
1. Cyber Risk – Its Potential and Market Size
2. Munich Re – Cyber Risk Insurance Offering
3. What Else to Know?
iStock-840166882
Cyber Risk
Its Potential and Market Size 1
As a warm-up
What are Cyber Risks?
1 September 2020 7Wolfgang Boffo - LIMA Webinar - From Cyber Risk to Cyber Insurance
“Risks arising from the storage,
usage, computation, and/ or
transmission of electronic data.
Such cyber risks may be
malicious, for example caused by
individual hackers or inadvertently,
caused by a coding error.”
The increasing use of new
technologies, self-learning machines,
cloud computing, digital ecosystems,
new communication standards like
5G and our dependence on smart
devices are all parts of the global
digital transformation.
Cyber Risks arise
from Cyber Perils
Who can be affected?
Own photograph
Keep warming-up
Have a look at this!
1 September 2020 8Wolfgang Boffo - LIMA Webinar - From Cyber Risk to Cyber Insurance
2007
DDoS on Estonian
govt. sites
2011
Sony PSN
data breach
2013
Yahoo!
(3bn records)2014
Sony Picture
hack
2017
WannaCry
2016
Yahoo
(500m records)
2017
NotPetya (USD 10bn)
2012
Dropbox
(68m records)
2014
eBay
(145m records)
2016
LinkedIn (112m records)
2016
Bank of Bangladesh attack
(estimated USD 81m stolen)
2017
Uber (57m records)
2009
DDoS attack on govt./financial
websites in South Korea
2010
Stuxnet
2011
RSA SecurID infiltration
2015
Anthem
(80m records)
2015
US federal
(21m records)
2019
GDPR Fines
British Airways USD 229m
Marriott USD 123m
Capital One USD 80m
(106m records)
2019
NorskHydro (USD 75m)
2018
TSMC (USD 175m)
2018
British Airways (380k transactions)
2018
Facebook (87m records)
2018
Marriott
(350m records)
2005 2020
2020
Cognizant (USD 400m)
Is (Southern) Africa close to such Cyber Risk action?
You bet you are!
1 September 2020 9Wolfgang Boffo - LIMA Webinar - From Cyber Risk to Cyber Insurance
What is the good news now?
We write Cyber Risks!
1 September 2020 10Wolfgang Boffo - LIMA Webinar - From Cyber Risk to Cyber Insurance
First of all, insured is hit by a Cyber Event
Cyber risk-related financial loss due to
loss or non-availability of own and third
party data causing business interruption,
third party liability, restoration cost, legal &
notification cost, reputational loss, network
& media liability, extortion etc. is covered.
At the same time, insured needs hands-on help!
Suddenly he has a problem he cannot solve
himself and he also doesn’t know where to
find help.
This is particularly relevant for the general
public and SMEs alike as they don’t have an
IT security department like larger corporates.
Why is our Cyber Insurance doing
the trick?
▪ In addition to an Insurance Policy, it entails, like road-side assistance, Post-Incident Services.
▪ It is a comprehensive solution beyond a traditional insurance product – but, it comes at a price.
Let’s take a step back!
Is there already a market in Cyber Risk Insurance?
1 September 2020 11Wolfgang Boffo - LIMA Webinar - From Cyber Risk to Cyber Insurance
▪ For 2020, Munich Re estimates
that the global cyber insurance market is
worth over USD 7bn.
▪ North America remains the strongest
market with a value of USD 5.3bn.
▪ Munich Re anticipates strong
growth in Asia and Europe.
▪ The value of the European cyber market
in 2020 is estimated at
more than USD 1bn.
So what’s left for Africa? At least >500,000 SMEs and ~50m people only in South Africa.
How mature are various markets?
Let’s compare two examples!
1 September 2020 12Wolfgang Boffo - LIMA Webinar - From Cyber Risk to Cyber Insurance
Germany USA
Rank IMD Digital Competitiveness* #17 #1
Cyber Breach related regulation
Level of Litigation
Existing Cyber insurance solutions
Awareness amongst SME
Maturity of Cyber Insurance Market
Size 2020 m USD GWP 183 5.200
Share PL/ SME/ large corporate (%) 10/ 55/ 35 5/ 35/ 60
Share First Party/ Third Party (%) 70/ 30 40/ 60
Top 3 OccupanciesManufacturing, FI,
others
Retail,
Healthcare, FI
*) based on 2019 IMD World Digital Competitiveness Ranking
US Cyber market got going because of
▪ Nation wide known events
▪ High cost given tough legislation
▪ Senior executives loosing their jobs
▪ D&O insurers claiming Cyber ‘must-have’
Which factor will determine the future growth
of early stage markets like ZA?
What’s the impact of data protection legislation
like POPI Act going to be?
iStock-918855102
Munich Re
Cyber Risk Insurance Offering 2
Munich Re Cyber Risk Strategy
Coverage for Commercial and Personal Lines
1 September 2020 14Wolfgang Boffo - LIMA Webinar - From Cyber Risk to Cyber Insurance
Primary
InsuranceBespoke and transactional
Traditional
ReinsuranceFocus on proportional participations
Munich Re as a Risk Taker Comprehensive Service Model powered by Munich Re
Cyber Risk
Insurance
Claims
Response
Services
Risk
AssessmentWording
Pricing
support
Accumulation
Control
What can be covered under Personal Lines Cyber?
We offer various modules for flexible, but adequate cover
1 September 2020 15Wolfgang Boffo - LIMA Webinar - From Cyber Risk to Cyber Insurance
Theft of fundsReimbursement of funds lost due to a
cyber incident, hacking of your bank
accounts, payment cards or mobile
wallets
Identity protectionReimbursement of costs resulting
from an identity theft
Data restorationReimbursement of costs to restore
data and software after a cyber
incident
Cyber bullying/ stalkingReimbursement for costs resulting from cyber
bullying or stalking
!!! Cyber extortionReimbursement of ransom payments
where legally permissible
Online sales & shoppingReimbursement of funds lost due online
sales & shopping fraud
Media liabilityReimbursement of costs arising from third party
claim for defamation, breach of copyright or
interference of privacy rights resulting from your
online activities
Network security liabilityReimbursement of costs arising from a third
party claim for a cyber incident on your
computer systems that you failed to prevent
Privacy breach & data breachReimbursement of costs arising out of a 1st or 3rd
party data breach
Smartphone coverReimbursements of costs to restore your data
and software after a cyber incident on your
smartphone
▪ Lower limits
▪ Lower premiums
▪ How to get a reasonably sized
portfolio of insureds going?
What can be covered under Commercial Lines Cyber?
All industry specific needs can be met
1 September 2020 16Wolfgang Boffo - LIMA Webinar - From Cyber Risk to Cyber Insurance
Incident & Breach Response▪ Expert to investigate and support you
▪ In-house crisis management center operation
▪ Lawyer to comply with applicable regulatory
authorities
▪ Expert for reputational protection
Restoration▪ Expert to restore the data and software
Business Interruption▪ Waiting period 12hrs to 24hrs
▪ Loss of gross profit and increased cost
of working
Cyber Extortion▪ Expert to investigate and support you
▪ Support to pay ransom amount
Cyber Crime▪ Forensic experts attempts to retrieve
funds in collaboration with your bank
▪ The amount illegally taken from you
PCI-DSS ▪ Cost for PCI Forensic Investigator to
investigate
▪ PCI-DSS recertification
▪ If applicable, reissuing any credit, debit
or pre-funded cards
Confidentiality & Privacy
Liability ▪ Customer notification costs
▪ Legal defence costs
▪ Sums which you are legally liable (potentially
including fines from authorities)
Network Security Liability ▪ Legal defence costs
▪ Sums which you are legally liable
▪ Expert for reputational protection
▪ Expert to investigate and support you
Media Liability▪ Legal defence cost
▪ Sums which you are legally liable
FIRST PARTY COVER THIRD PARTY CLAIMS
How is the risk assessment and pricing being done?
We use our own methodology
1 September 2020 17Wolfgang Boffo - LIMA Webinar - From Cyber Risk to Cyber Insurance
Risk/
Exposure
Complexity/
Size of InsuredMethod of individual risk assessment must
▪ account for industry specific exposure
▪ fit to size of organization and its global footprint
▪ consider legislation and jurisdiction
▪ depend on incident history
In addition, pricing to be paired with assessment results with
▪ requested limit structure
▪ cover elements asked for
▪ given loss history for industry segment and/ or region
▪ additional statistics a leading cyber reinsurer has
If we cannot assess it or price it, we won’t write it.
A few risks will vastly accumulate, hence we either put up a
sublimit or an exclusion.
Self assessment
through insured
On-site „visits“
& interviews
Underwriter
call/ market
meeting
Questionnaires as a basis
(micro – small – medium – large)
And then it hit the insured …
What to do in a Cyber Risk Event?
1 September 2020 18Wolfgang Boffo - LIMA Webinar - From Cyber Risk to Cyber Insurance
Cyber Incident Supportpowered by Munich Re
Cyber incident is
detected
!
Insured is back to
business. Expenses
will be covered.
Immediately call the
cyber emergency
support hotline
Incident response
manager provides
immediate first-aid
Our forensic experts
support you to recover
your system
Why Munich Re?
We have been awarded Cyber Reinsurer of the year 4 times in a row
1 September 2020 19Wolfgang Boffo - LIMA Webinar - From Cyber Risk to Cyber Insurance
Our people
▪ > 120 dedicated colleagues working worldwide on delivering
Cyber solutions to clients and managing exposure
▪ > 20 dedicated Cyber risk experts with Cyber security track
record to provide best in class risk assessments
▪ Worldwide leverage of resources to bring right knowledge to you
Our experience
▪ > 20 years of experience (Think Y2K!)
▪ Global leadership with > USD 500m premium
and > 10% market share
▪ Most extensive loss statistics and exposure data set
Our approach
▪ Building long term partnerships, but with commitments from
both sides
▪ Solutions based on client needs and co-creation
▪ One step ahead of the curve
iStock-479446229
What Else to Know?
3
It often sounded like either Property or Casualty Insurance
Why would I need a Cyber Insurance in addition?
1 September 2020 21Wolfgang Boffo - LIMA Webinar - From Cyber Risk to Cyber Insurance
CYBER
AS PERIL
CYBER
AS PERIL
Property Cyber
Property Damage/ Physical Damage
Business Interruption
CBI
Data Valuation Clause
General Liability
Product Liability
E&O/ PI
D&O
Crime
Data
restoration
PD caused by
cyber incident
Non-physical
damage BI
Data
recreation Cyber
crime
PD/ Bodily Injury
cyber incident
Media
liability
Cyber
Extortion
Network security
liability
Privacy/
Confidentiality
breach
Casualty
Silent Cyber Risk must be made affirmative to ensure Cyber Risks are priced adequately
Potential silent cyber scenarios in Property & Casualty
It is of utmost importance to be clear about scope of coverage
1 September 2020 22Wolfgang Boffo - LIMA Webinar - From Cyber Risk to Cyber Insurance
Key Points:
▪ “Hacked fire” scenario
▪ Threat of specifically targeted attacks on industrial
control systems (ICS)
▪ Risk of attack on multiple plants by targeting ICS
▪ “Key insured interest”: PD + BI
Image: Shulz / Getty Images / iStockphoto
Cyber attack
on industrial plant (ICS)
Examples:▪ UAE solar power plant (2011)
▪ Triton (2017)
▪ University of Cambridge: Cyber-Induced Explosion in a
Chemical Facility Scenario
Key Points:
▪ Accident/ explosion affecting surrounding property and
third parties
▪ Covered loss: Bodily Injury, Third Party Property
Damage (TPPD)
▪ Concerned class of business: General Liability, Workers
Comp, Employer’s Liability, Environmental Liability, D&O
Image: Shulz / Getty Images / iStockphoto
Examples:▪ Cyber attack on water utility control system (2016)
▪ Steel mill (Germany, 2014)
▪ Stuxnet attack on industrial facility (Iran, 2010)
Cyber attack
on industrial plant (ICS)
Cannot close this presentation without Covid-19
Necessity, potential and complexity of cyber insurance becomes eminent
1 September 2020 23Wolfgang Boffo - LIMA Webinar - From Cyber Risk to Cyber Insurance
▪ Increase in frequency and severity of
malicious attacks
▪ Increase on frequency in cyber-crime
losses
▪ Higher level of Cyber Risk awareness
▪ Enforcement of selective hardening
caused by Ransomware losses in
combination with the effects of Covid-19
▪ Less budget available to purchase
insurance – and to invest into IT security
Changed exposure due to shift
to home offices
Covid-19 used in the context of
phishing attacks
Whereas we have not yet seen increased losses, we see momentum to position Cyber with clients
What’s happening? Potential implications on Cyber insurance
Digitization-push (cash less online
shopping & communication; etc.)
Economic impact/ global
recession
Not if, but when – this will be true in both regards:
Getting the Cyber market going, but also getting hit by an attack
1 September 2020 24Wolfgang Boffo - LIMA Webinar - From Cyber Risk to Cyber Insurance
>TxsVeryMuch4yOURAttention!