Presentation at IS Directors Conference | Interlaken - 18 September 2015 1
Cyber Insurancea time journey, the past, thepresent and a glimpse at thefuture
Presentation IS Directors Forum 2015 –Interlakenby Philippe Aerni & Willy Stössel
Presentation at IS Directors Conference | Interlaken - 18 September 2015 2
Table of Contents
Introduction
Coverage and Services provided
Loss Examples and Scenarios
Underwriting Criteria for Risk Selection
Outlook
Presentation at IS Directors Conference | Interlaken - 18 September 2015
• Swiss Re Corporate Solutions has been underwriting Technology E&O (TMT– Technology, Media & Telecom) since 2001
• Cyber liability extensions and all 1st party extensions have been added overthe years to all Technology E&O policies in the US market
• Swiss Re Corporate Solutions has dedicated Underwriters for this line ofbusiness in
– New York
– London
– Zurich
– Paris
• Swiss Re Corporate Solutions Risk Engineering and Group RiskManagement & Information Security support Underwriters for the riskassessment
Swiss Re Corporate Solutions ApproachUnderwriting Technology E&O and Cyber Insurance
3
Presentation at IS Directors Conference | Interlaken - 18 September 2015
(Source: copyright protection may apply, source unknown)
Cyber RisksNightmare or Opportunity?
4
Presentation at IS Directors Conference | Interlaken - 18 September 2015 5
Coverage and Services provided
Presentation at IS Directors Conference | Interlaken - 18 September 2015
5 facts about the Cyber insurance market
6
USD 1.5-2b2014 worldwide estimated premium2013: ~ USD 1.2b2012: ~ USD 800m
Competitiveratesas carriers try to defendor gain market share Full limits
available for coverages sub-limited before
Healthcareis the fastest growing Cyberinsurance buying segment
North Americahas the highest demand for Cyber insurance globallyEurope: low-mid demand will be driven by regulation
Presentation at IS Directors Conference | Interlaken - 18 September 2015
The Cyber Risk Landscape
7
Presentation at IS Directors Conference | Interlaken - 18 September 2015
Insurance Cover LandscapeTraditional Policies vs specific Cyber Policies
Tech, Media &Telecom(E&O) CyberGL
PD/BI &Crime
Libel
Slander
Defamation
* excluded from standard product
8
PD / BIRequires"direct physicalloss” -> notsatisfied
Crime: requiresintent and onlycovers money,securities, andtangibleproperty
IPInfringement
Copyright
Trademark
Patent *
Errors &Omissions
Tech Services
Tech Products
UnintentionalDisclosure
UnintentionalBreach ofPrivacy Policy
Breach ofConfidentiality
Investigationcosts
Notificationcosts
Fines/Penalties
BusinessInterruption
Extortionmoneys
Privacy First PartyMitigationAdvertisementPersonalInjury
Property/Crime
Existing Policy Landscape New Policy Landscape
Presentation at IS Directors Conference | Interlaken - 18 September 2015 9
Cyber insurance
First Party / ISBI* Unauthorized access
Hacking
Virus
Denial of Service
Com
men
tP
rodu
ct The current market offering includes First Party/ISBI, extortion and privacy coverage
Extortion Investigation costs
Extortion of monies due tocredible threat e.g., introductionof malicious code
Privacy Unintentional disclosure
Breach of confidentiality
Business Interruption orloss of data due to a generalmalicious attack (e.g., genericvirus: love bug virus)
Contingent BusinessInterruption due to lack ofinternet connectivity causedby IT failure at providers'location
Costs for reinstatement ofdata
Investigation costs todetermine cause of securityfailure
Covers the monies paid bythe insured as a result of acredible threat/series ofrelated threats directed atthe Insured
e.g., to corrupt, damage ordestroy the Insured'scomputer system, or to restrictor hinder access to theInsured's computer system
e.g., to release, divulge,disseminate, destroy or useconfidential informationstored in the Insured'scomputer system
Liability: the defence andsettlement costs for theliability of the insured arisingout of its failure to adequatelyprotect its private data
Remediation: the responsecosts following a data breach,including investigation, publicrelations, customernotification and creditmonitoring
Fines and/or penalties: thecosts to defend, settle finesand penalties that may beassessed by the regulator
Current market offering
*Stand-alone property/extensions to property
Presentation at IS Directors Conference | Interlaken - 18 September 2015 10
1Bodily injury/ Property damage Current cover extends to economic loss only following a cyber event Clear differentiation to existing PD/BI products (Property/Casualty) New: AIG offers this coverage as a DIC/DIL coverage sitting excess of scheduled
policies
2 Patent Infringement plus theft of trade secrets Undesired and hard to insure/quantify coverage
3 Fines & Penalties Other than Data Protection fines following a breach
4War, invasion, act of foreign enemy, hostilities or war-like operations(whether declared or not), civil war, mutiny, civil commotion Coverage is provided for act of cyber terrorism
5 Any seizure, confiscation, nationalization or destruction of a ComputerSystem or electronic data by order of any governmental or public authority
6 Force Majeure Earthquake, volcanic eruption, tidal waves etc
Overview of major market exclusions
Presentation at IS Directors Conference | Interlaken - 18 September 2015
• Traditional insurance policies provide limited coverage only for cyberattacks:
Gaps in existing traditional policies
11
Presentation at IS Directors Conference | Interlaken - 18 September 2015 12
Breachnotification /consultation
Forensics Breachconsultation
Notificationdesign
Publicrelations
First point of contactwill be Swiss Re andour external "DataBreach Counsel." Thiswill be coordinatedthrough NetDiligenceplatform
Five hour initialconsultation fromData Breach counsel
Facts gathered willallow Swiss Re assessif true breach hasoccurred
Without first point ofcontact materials maybe discoverable
Retention ofForensicservices:
To contain thebreach
To understandthe scope andbreadth ofbreach
Review of forensicmaterials
When and whereare breachnotificationsrequired?
What is thepotential forregulatory fines orpenalties?
What is thepotential for legalaction?
What are the nextsteps?
Craft letter toAttorneys Generaland other stateand federalagencies
Craft letters to besent to affectedparties
Craft speech andflow chart for callcenters andpotential creditmonitoringcompanies
Engage publicrelations and crisismanagementexperts to workwith Swiss ReClaims and DataBreach Counselduring course ofbreach
Post-breach services to be delivered by a PrimaryInsurance Carrier
Cyber breach response – process overview and key considerations
Presentation at IS Directors Conference | Interlaken - 18 September 2015
Potential Risk Event Likelihood Potential impact
Website/copyright /trademark infringementclaims
Low Low
Legal Liability to other for computer securitybreaches
Low – Medium Medium
Legal Liability to others for privacy breaches Low – Medium Medium
Privacy breach notification costs & creditmonitoring
Low – Medium Medium
Privacy regulatory action defense and fines Low Medium
Costs to repair damage to your informationassets
Low Medium
Loss of revenue due to a failure of security at adependent technology provider
Low Medium
Cyber Extortion threat Low Medium
Loss of revenue resulting from non-physicalbusiness interruption
Low – Medium High
Risk identification – Europe
13
Presentation at IS Directors Conference | Interlaken - 18 September 2015 14
Loss Examples
Examples of large losses US and not only in the USSecurity Breaches / Data Breaches – type of losses
Presentation at IS Directors Conference | Interlaken - 18 September 2015 15
Centcom Twitter YoutubeBreach
Anthem BC/BS Nr 2 Healthcare insurer in the US 50 million PII records breached Excess of 80 m records stolen Notification costs will hit the
existing cyber tower: USD 100m -for at least USD 120m
[Jan 2015]
Recent examples of data-loss incidents
Twitter & YouTube accounts hackedand pro-ISIS content uploaded[Jan 2015]
Morgan StanleyInsider attack compromising 3.5m customeraccounts[Dec 2014]
Sony PSN/Microsoft Xbox LiveNetworkDOS attack by hacker group (Lizardsquad) shut down service aroundXmas holidays[Dec 2014]
Sony has booked USD 171m in data breach direct costs to date* Target has incurred USD 178m in breach related expenses as of Nov 2014** Heartland payment systems paid USD 150m in fines and legal costs from
breach and suffered damage to its reputation as a payment processor ***
* PropertyCasualty360 ** New York Times *** The Wall Street Journal
Presentation at IS Directors Conference | Interlaken - 18 September 2015
Korea's financial regulators are coming down hard on three credit card companies whose customer data was stolen in the largest personal information
leak in the country's history. The Financial Services Commission and the Financial Supervisory Service will suspend the business operations of KBKookmin Card, NH Nonghyup Card and Lotte Card for three months starting February 17th 2014. Under the terms of the suspension, the companies will be banned fromtaking on new customers, issuing card loans or processing cash advances. Existing customers, however, will not be affected as the suspension does not ban the firms from
providing financial services to them. .. Last month's leak, which affected at least 20 million people, sparked concerns the data could
have ended up in the hands of scammers. The estimated compensation for mental damage caused to customers is expected to reach nearly $160 Mio. As
another part of the punishment, the CEOs of the three firms are to face punishment depending on their accountability. source:…...Connie Kim, Arirang News.
DigiNotar (September 2011), was a Dutch certificate authority, after it had become clear that asecurity breach had resulted in the fraudulent issuing of certificates, the Dutch government tookover operational management of DigiNotar's systems. The company was declared bankrupt.
Cyberattacks on critical infrastructure are a reality and they're becoming more frequent. An ITsecurity report for 2014 published by Germany's Federal Office for Information Security (BSI) …incident that caused physical damage to a facility. …An attack launched by an advanced persistentthreat (APT) group against an unnamed steel plant in Germany resulted in significant damage,according a new report.
Areva – Theft of IP, alleged state sponsored attack
Orange France: hacked twice in 2014, release of 1 mil plus customer data.
Security Breaches / Data BreachNot only US losses (source: various articles)
16
Presentation at IS Directors Conference | Interlaken - 18 September 2015 17
Underwriting Criteria for RiskSelection
Presentation at IS Directors Conference | Interlaken - 18 September 2015 18
Are you ready to respond to breaches?
Are breach responseprocedures set up?
Are roles andresponsibilities assigned?
Are monitoring anddetection measures inplace?
Are immediate measuresinstituted to protect data?
Are investigationresources available toanalyse breaches?
Are response andnotification measuresestablished?
Are communicationprocesses established?
Presentation at IS Directors Conference | Interlaken - 18 September 2015
Swiss Re Corso: IBM and Swiss Re teaming up tooffer cyber risk protection services for commercialcustomers
19
Swiss Re’s Business Challenge• Entering new market – wanted to partner with experienced cyber security experts• Focus enterprises, across the globe for four types of exposures: computer viruses, hacking, Distributed Denial of
Service or malware
Joint Approach
• Comprehensive supportprovided by a trustedpartner: from training andcyber education throughsecurity risk assessmentsand vulnerability scans tocyber claims assistance
Swiss Re`s Benefits• Immediate access to world class
expertise and experience of the globalsecurity leader – attractive valueproposition to prospective customers
• Integration of cyber assessmentsand claims handling into overallSwiss Re`s business processes– leverage of best practices
Swiss Re
IBM Applicant
Presentation at IS Directors Conference | Interlaken - 18 September 2015
IBM Cyber Security - Global reach and capabilitieswith local presence
20
Presentation at IS Directors Conference | Interlaken - 18 September 2015 21
Outlook
Presentation at IS Directors Conference | Interlaken - 18 September 2015
Driving Factors for Cyber InsuranceA Constantly Changing World
22
NewTechnology
LegalEnvironment
Accumulationissues
Supply Chain
M&AGrowthPlans
Complexity
CloudComputing
"underestimated"small exposure
Connectivity
KnownVulnerabilitiesAwareness &
Litigationapproach
BusinessStrategy
HackerFocus
Company X
Standardization
Presentation at IS Directors Conference | Interlaken - 18 September 2015
• North America– Canada– Mexico– United States (different
legislation applies for certainindustries and notification
required in > 46 states)• Central & South America
– Argentina– Brazil (Pending)– Chile– Colombia– Costa Rica– Ecuador (Pending)– Paraguay– Peru– Uruguay
• Middle East– Israel– UAE (DIFC)
Countries with Privacy/Data Protection Laws
Africa– South Africa– Tunisia
Asia-Pacific– Australia– China (draft privacy
guidelines)– Hong Kong– India (privacy rules explained)– Japan– Malaysia– New Zealand– Philippines– Singapore– South Korea– Taiwan– Thailand– Vietnam
Europe– 27 EU Member States +– Norway– Russia– Serbia– Switzerland– Turkey (Pending)– Ukraine
EU Data Protection reform –(Regulation):revised version going to parliamentafter 21.10.2013 committee review,fines of up to EUR 100 Mio or 5% ofannual worldwide turnover,whichever is greaterUpdate: Discussions also impactedby TTIP, heavily delayed
There are 105 countries with existing or pending privacy or data protection legislation
Presentation at IS Directors Conference | Interlaken - 18 September 2015 24
Presentation at IS Directors Conference | Interlaken - 18 September 2015
Legal notice
25
©2015 Swiss Re. All rights reserved. You are not permitted to create any modificationsor derivative works of this presentation or to use it for commercial or other public purposeswithout the prior written permission of Swiss Re.
The information and opinions contained in the presentation are provided as at the date ofthe presentation and are subject to change without notice. Although the information usedwas taken from reliable sources, Swiss Re does not accept any responsibility for the accuracyor comprehensiveness of the details given. All liability for the accuracy and completenessthereof or for any damage or loss resulting from the use of the information contained in thispresentation is expressly excluded. Under no circumstances shall Swiss Re or its Groupcompanies be liable for any financial or consequential loss relating to this presentation.