Cyber Insurance - The Basics

CYBER RISKS & CYBER INSURANCE

The Cyber Insurance Consultancy

Chris Stallard – Chief Insurance Imagineer [email protected]

‘CYBER’ – WHERE DID IT COME FROM?

First coined from Mathematics Professor Norbert Wiener in 1948.

Ground breaking account of various systems that led and influenced AI and complex systems.

“Cyber” itself is derived from a Greek term meaning ‘steersman’ or ‘governor’


A BRIEF HISTORY OF CYBER TIME

First policies bound in the US in the late 1990’s

Low product evolution due to Y2K and 9/11

2016 - US – Mature UK/Europe – Growing Asia/AU and NZ – Emerging

2008 – Cyber Premiums in region of $500m

Circa. 2000 – First Betterley Report on Cyber Insurance

2020 – Global GWP Estimated at $7.5bn to $15bn


WHY BUY CYBER INSURANCE? •  Privacy Legislation including the Australian Privacy Principles (APPs)

•  Forms part of an effective risk management framework

•  PCI-DSS obligations

•  Ubiquitous exposure - IoT

•  Lack of coverage within traditional insurance programs

•  Potential for system vulnerabilities

•  Benefits of accessing expertise when it is needed

•  Bad guys attack weaknesses not strengths


GREAT NEWS !! – YOU HAVE THE SKILLS TO SELL

As an Insurance Professional, you already have risk transfer knowledge.

Risk considerations and exposures associated with Cyber are very similar to those that businesses already face.

Quite simply, a business faces the impact of a Cyber event on their operations and revenue.

In addition to first party exposures they have to third parties (customers primarily).

In line with tradition, there will be costs and expenses associated with managing impact:

-  including increased costs of working

-  business interruption -  defence costs -  investigation costs -  other expenses such as

expert services.


CYBER….YOUR FAMILIAR BUT NEW RISK

Fire Damage Business Interruption Event Expenses Third Party Actions

E-mail attachment

contained the Virus

Virus Attack

Applications and Data Damage

3 weeks to reconstitute data and 3 months to recover

BI

Systems & Data

recovery experts,

Customer comms.

Event Expense

Customers bring action

following exposure of

PII

Third Party

Actions


CYBER COVERAGE

BI Cost to replace, restore (data) from network breach

Costs of extortion monies and expenses Business Interruption – loss of income and extra expenses

Identity theft Breach of Privacy

Failure to protect confidential data Transmission of spyware, viruses & code

Notification costs incurred Regulatory Defence costs

PR and Crisis Management costs Fine and Penalties

1st Party

3rd Party

Costs

Damage Event Expense

TPAs Event Expense

Event Expense


RISK TRANSFER OR COVER GAP?

TRADITIONAL PROGRAM COVERS

Versus

COVERAGE SHORTFALLS

Unlikely that policies will provide cover for data breaches

Typically require physical loss or damage and may specifically exclude electronic data

Would usually only respond to actions bought against D&Os for ‘Wrongful Act’

Cover is not usually afforded for information/data breaches (unless part of ‘Professional Services)

Most Cyber extensions are only as effective as the underlying policy trigger

GL

D&O /ML

PROP

PI/ E&O

EXTS.


LOSS SCENARIOS:

LOST LAPTOP

A laptop which is used by a number of employees is left in a coffee shop in the Sydney CBD. It cannot be located.

The Laptop contains 25,000 customers records including names, addresses and banking information.

RANSOMWARE

A business owner opens their first e-mail of the day. The opening line reads “Your data has been locked by us”.

The content is clear, there is a threat that the company data will be erased unless a ransom of 250 Bitcoins is paid.

SYSTEM VULNERABILITY

Personal and financial information has been obtain via security weaknesses in a computer system. Over 250,000 identities implicated.

The Insured was made aware of the breach/es by the Federal Police and immediate cessation of operations is required.


SCENARIO 1

A company laptop has been left in a coffee shop in the Sydney CBD. It cannot be located.

The Laptop contains 25,000 customers records including names, addresses and banking information. LOST

LAPTOP

Most policies will cover the costs of recovering data (but usually only as a result of a ‘virus’ attack).

Policies do not typically cover physical property and the laptop should be insured under a property policy

1st Party

Most policies will provide cover for actions bought against the insured for breach or privacy or for damages as a result of personal information impacting a third party e.g. credit history black marks.

3rd Party

•  Notifying customers of breach •  Costs of monitoring credit reports •  Defence costs in respect of third

party claims or regulatory investigation/action

Costs


SCENARIO 2

Business owner opens an e-mail. The opening line reads “Your data has been locked by us”.

There is a threat that the company data will be erased unless a ransom of 250 Bitcoins is paid. RANSOM

Extortion threats are usually covered under market forms including the payment of monies to release or prevent data damage. However, the recommendation is that no payment is made, as monies demanded can increase and there is no guarantee that data will be left untouched

1st Party

In the event that any PII or PHI is exposed then most policies will respond to actions bought by third parties and/or regulatory authorities

3rd Party

•  Costs of monitoring credit reports •  Investigation and virus removal

costs •  Defence costs in respect of third


Costs


SCENARIO 3 Personal and financial information has been obtain via a weaknesses in a computer system. Over 250,000 identities implicated.

Federal Police advised insured of the breach and immediate cessation of operations is required.

SYSTEM VULNERABILITY

Should the investigation result in a material impact to the operations of the business preventing them from operating, some policies do make provision for impact on profit or revenue

1st Party

In the event that any PII or PHI is exposed then most policies will respond to actions bought by third parties and/or regulatory authorities.

3rd Party

•  Costs of monitoring credit reports •  Investigation and virus removal

costs •  Defence costs in respect of third


Costs


Education

Cyber Insurance - The Basics