Upload
chris-stallard-cyrm
View
56
Download
0
Embed Size (px)
Citation preview
CYBER RISKS & CYBER INSURANCE
The Cyber Insurance Consultancy
Chris Stallard – Chief Insurance Imagineer [email protected]
‘CYBER’ – WHERE DID IT COME FROM?
First coined from Mathematics Professor Norbert Wiener in 1948.
Ground breaking account of various systems that led and influenced AI and complex systems.
“Cyber” itself is derived from a Greek term meaning ‘steersman’ or ‘governor’
Chris Stallard – Chief Insurance Imagineer [email protected]
A BRIEF HISTORY OF CYBER TIME
First policies bound in the US in the late 1990’s
Low product evolution due to Y2K and 9/11
2016 - US – Mature UK/Europe – Growing Asia/AU and NZ – Emerging
2008 – Cyber Premiums in region of $500m
Circa. 2000 – First Betterley Report on Cyber Insurance
2020 – Global GWP Estimated at $7.5bn to $15bn
Chris Stallard – Chief Insurance Imagineer [email protected]
WHY BUY CYBER INSURANCE? • Privacy Legislation including the Australian Privacy Principles (APPs)
• Forms part of an effective risk management framework
• PCI-DSS obligations
• Ubiquitous exposure - IoT
• Lack of coverage within traditional insurance programs
• Potential for system vulnerabilities
• Benefits of accessing expertise when it is needed
• Bad guys attack weaknesses not strengths
Chris Stallard – Chief Insurance Imagineer [email protected]
GREAT NEWS !! – YOU HAVE THE SKILLS TO SELL
As an Insurance Professional, you already have risk transfer knowledge.
Risk considerations and exposures associated with Cyber are very similar to those that businesses already face.
Quite simply, a business faces the impact of a Cyber event on their operations and revenue.
In addition to first party exposures they have to third parties (customers primarily).
In line with tradition, there will be costs and expenses associated with managing impact:
- including increased costs of working
- business interruption - defence costs - investigation costs - other expenses such as
expert services.
Chris Stallard – Chief Insurance Imagineer [email protected]
CYBER….YOUR FAMILIAR BUT NEW RISK
Fire Damage Business Interruption Event Expenses Third Party Actions
E-mail attachment
contained the Virus
Virus Attack
Applications and Data Damage
3 weeks to reconstitute data and 3 months to recover
BI
Systems & Data
recovery experts,
Customer comms.
Event Expense
Customers bring action
following exposure of
PII
Third Party
Actions
Chris Stallard – Chief Insurance Imagineer [email protected]
CYBER COVERAGE
BI Cost to replace, restore (data) from network breach
Costs of extortion monies and expenses Business Interruption – loss of income and extra expenses
Identity theft Breach of Privacy
Failure to protect confidential data Transmission of spyware, viruses & code
Notification costs incurred Regulatory Defence costs
PR and Crisis Management costs Fine and Penalties
1st Party
3rd Party
Costs
Damage Event Expense
TPAs Event Expense
Event Expense
Chris Stallard – Chief Insurance Imagineer [email protected]
RISK TRANSFER OR COVER GAP?
TRADITIONAL PROGRAM COVERS
Versus
COVERAGE SHORTFALLS
Unlikely that policies will provide cover for data breaches
Typically require physical loss or damage and may specifically exclude electronic data
Would usually only respond to actions bought against D&Os for ‘Wrongful Act’
Cover is not usually afforded for information/data breaches (unless part of ‘Professional Services)
Most Cyber extensions are only as effective as the underlying policy trigger
GL
D&O /ML
PROP
PI/ E&O
EXTS.
Chris Stallard – Chief Insurance Imagineer [email protected]
LOSS SCENARIOS:
LOST LAPTOP
A laptop which is used by a number of employees is left in a coffee shop in the Sydney CBD. It cannot be located.
The Laptop contains 25,000 customers records including names, addresses and banking information.
RANSOMWARE
A business owner opens their first e-mail of the day. The opening line reads “Your data has been locked by us”.
The content is clear, there is a threat that the company data will be erased unless a ransom of 250 Bitcoins is paid.
SYSTEM VULNERABILITY
Personal and financial information has been obtain via security weaknesses in a computer system. Over 250,000 identities implicated.
The Insured was made aware of the breach/es by the Federal Police and immediate cessation of operations is required.
Chris Stallard – Chief Insurance Imagineer [email protected]
SCENARIO 1
A company laptop has been left in a coffee shop in the Sydney CBD. It cannot be located.
The Laptop contains 25,000 customers records including names, addresses and banking information. LOST
LAPTOP
Most policies will cover the costs of recovering data (but usually only as a result of a ‘virus’ attack).
Policies do not typically cover physical property and the laptop should be insured under a property policy
1st Party
Most policies will provide cover for actions bought against the insured for breach or privacy or for damages as a result of personal information impacting a third party e.g. credit history black marks.
3rd Party
• Notifying customers of breach • Costs of monitoring credit reports • Defence costs in respect of third
party claims or regulatory investigation/action
Costs
Chris Stallard – Chief Insurance Imagineer [email protected]
SCENARIO 2
Business owner opens an e-mail. The opening line reads “Your data has been locked by us”.
There is a threat that the company data will be erased unless a ransom of 250 Bitcoins is paid. RANSOM
Extortion threats are usually covered under market forms including the payment of monies to release or prevent data damage. However, the recommendation is that no payment is made, as monies demanded can increase and there is no guarantee that data will be left untouched
1st Party
In the event that any PII or PHI is exposed then most policies will respond to actions bought by third parties and/or regulatory authorities
3rd Party
• Costs of monitoring credit reports • Investigation and virus removal
costs • Defence costs in respect of third
party claims or regulatory investigation/action
Costs
Chris Stallard – Chief Insurance Imagineer [email protected]
SCENARIO 3 Personal and financial information has been obtain via a weaknesses in a computer system. Over 250,000 identities implicated.
Federal Police advised insured of the breach and immediate cessation of operations is required.
SYSTEM VULNERABILITY
Should the investigation result in a material impact to the operations of the business preventing them from operating, some policies do make provision for impact on profit or revenue
1st Party
In the event that any PII or PHI is exposed then most policies will respond to actions bought by third parties and/or regulatory authorities.
3rd Party
• Costs of monitoring credit reports • Investigation and virus removal
costs • Defence costs in respect of third
party claims or regulatory investigation/action
Costs
Chris Stallard – Chief Insurance Imagineer [email protected]