Cyber insurance – a new product to ensure premium growth?
June 4th 2015 Andreas Schayer – Topic Network IT
Agenda
Cyber Risk – The business risk of an enterprise associated with the use, ownership, operation, involvement, influence and adoption of IT*) *) IACA - Information Systems Audit and Control Association
The „Cyber World“
Loss examples
Cyber primary insurance market
Dimensions and costs of cyber risks
Accumulation Control
Cyber insurance – a new product to ensure premium growth? A.Schlayer - Munich RE
2
The Cyber World No borders, more interdependencies, fast developing High losses (Sony breach) Location, resources, age, etc. less relevant Hidden for years (Russia stole military data) Highly protected systems (China hacked NASA) Cyber Terror / War (Ukraine, Estonia) Counterparty exposure (Epsilon lost client data) Top Management affected (Target)
Source: http://list25.com/25-biggest-cyber-attacks-in-history/2/
Physical damage possible (Stuxxnet)
Cyber insurance – a new product to ensure premium growth? - A.Schlayer - Munich RE
23 April 2015
3
Liability in the global cyber world – loss example
Insured Stockholm
User New York
Server India
Hacker Brazil
Cyber insurance – a new product to ensure premium growth? A.Schlayer - Munich RE
4
Loss examples
252 180 160
170
TJX: 45.6 million credit and
170
140
debit45.6 card numbers TJX: million creditwere and debit
150
card numbers were stolen stolen
120
HPS: credit andand debit HPS:130 130million million credit
100
cards debitwere cardscompromised were
80
compromised Sony: theft of 77 million peoples'
60
theof PlayStation details Sony:on theft 77 million
40 20
90
30
30
5
0 TJX
Total loss
Heartland Payment Systems
Sony Corp
Network (PSN)
peoples' details on the PlayStation Network (PSN)
Figures approximate in million USD Source: SEC filings
Target As of March‘15
Insurance proceeds
So far, large cyber incidents covered max 30% Cyber insurance – a new product to ensure premium growth? - A.Schlayer - Munich RE
23 April 2015
5
Cyber primary insurance market Strong growth expected Estimated Cyber Primary Insurance Market Rest of the World
North America
6-8
~ 1-3
DEVELOPMENT 90% of cyber premiums in North America Tight data breach regulation Large incidents (e.g. Target) Only recently few higher loss events for insurers
1,3-1,5 ~0,1 ~1,2-1,4 2013
Source:
2,1-2,3 ~ 0,1-0,3
~5
~2 2014
Fast development in other markets Recent strong uptake of customer requests and insurance products; changing regulation
2020
Advisen: 2014 Network Security & Cyber Risk Management
Cyber insurance – a new product to ensure premium growth? - A.Schlayer - Munich RE
23 April 2015
6
Dimensions of cyber risks
Denial of service Extortion Electronic vandalism Theft of data Computer virus
Security
Privacy laws EU directive HIPAA + HITECH Gramm-Leach-Bliley
Primarily first-party
Reputation
Costs
Compliance & Privacy
Primarily third-party Loss of reputation after cyber incident by third party own fault
Systematic posting of wrong information
Liability
Intellectual property infringement Product/service failure Privacy violation
Cyber insurance – a new product to ensure premium growth? - A.Schlayer - Munich RE
23 April 2015
7
Possible costs after an incident
Impact on Business Data recovery System recovery System update to prevent future incidents Production interruption Forensic investigations Incident response Crisis mgmt Redesign of critical infrastructure
Liability Losses (i.e. 3rd party revenue losses
Notifications, call centre costs, postage
Legal implications Law suits (from vendors, customers, business partners) Legal advice
Credit monitoring
Defense costs
Identity restoration
Fines and penalties
Infringement of trademarks
Class action litigation
Miscellaneous Loss of revenue Loss of contracts Reputational damage Share price impact Reduced sales Future sales impact Extortion payments
Public relations costs Devaluation of intellectual property
Preparation and professional consulting significantly decreases costs Cyber insurance – a new product to ensure premium growth? - A.Schlayer - Munich RE
23 April 2015
8
Cyber insurance contains property and casualty
Cyber insurance policy
1st party Cyber Expenses
Crisis Consulting
IT Vandalism
Forensics
Electronic Theft
Notification Costs
Business Interruption
Call Center
Network Extortion
Credit Monitoring
Internal Network Interruption
Legal Counsel
Administrative Fines
3rd party Cyber Liability Internet Communication and Media Liability Intellectual Property Access Failure Security Failure Technology E&O Privacy Disclosure Liability
Carriers use different terms, combinations and coverage for elements Cyber insurance – a new product to ensure premium growth? - A.Schlayer - Munich RE
23 April 2015
9
Manage accumulation exposures
“Global Outage” of the Internet
Self-reproducing Computer Viruses
Worldwide spread
Worldwide spread
Large number of services interrupted
Large number of systems infected by one event
No prevention by insured possible
Cannot be reinsured Accurate modeling not possible Excluded under reinsurance treaty and/or insurance policy
Large Cloud Service Provider Accumulation is triggered by one company Large number of clients affected in one event
Monitor budget Model of a “Super Virus” Determine effect on portfolio
Monitor Low limits for unnamed service provider
Introduce sublimit in policy
High limits for named service provider
Annual aggregate limit in reinsurance treaty
Monitor exposure per service provider
Prerequisites: Specialized underwriting, professional risk assessment (technical and legal), experienced claims handling Cyber insurance – a new product to ensure premium growth? - A.Schlayer - Munich RE
23 April 2015
10
Thank you very much for your attention
Andreas Schlayer
[email protected] © 2014 Münchener Rückversicherungs-Gesellschaft © 2014 Munich Reinsurance Company
