introduction to cyber risks and cyber insurance 19/03/2015

19/03/2015 - ZAGREB
1 / XX
LSM Cyber Suite Coverage
First Party
– Loss or damage to digital assets
– Non-physical business interruption and extra expense
– Cyber extortion and cyber terrorism
– Reputational harm (unique to Liberty)
Third Party
– Security and privacy liability and defence costs
» network security breaches
» transmission of malicious code
» damage, alter, corrupt, distort, copy, delete, steal, misuse,
or destroy Third Party Digital Assets
» breach of third party or employee privacy rights or wrongful
disposal of data
» Causing DDoS attack on third party
» Phishing or Pharming
» confidentiality
– Privacy regulation defence, fines and penalties
» PCI fines extensions available
– Customer care & reputational expenses
» notification expenses
» credit monitoring
» PR expenses
» forensic expenses
– Multi-media Liability
The insured causes of loss for first party
losses include not only computer crime
and computer attacks by third parties,
but also accidental damage or
destruction of hardware and
administrative or operational mistakes
by employees and third party providers.
Committed or failed to prevent a
Wrongful Act
2 / XX
Do I already have some cover for cyber risks under my other insurance policies?
– Professional Indemnity
• Not unless it occurred in the ‘ordinary course of your professional services’?
• No cover for claims by employees.
• Unlikely to cover malicious or unauthorized use of Insured’s own network to damage, misuse or destroy its clients’ data
or to cause a denial of service attack.
• Computer virus transmission often excluded.
• Cover often restricted to claims made by an Insured’s client.
• Usually no cover for investigations by the regulator.
• Generally third party cover only, so no cover for customer care and reputational expenses such as costs of notification,
credit monitoring and PR, or for loss of business income, damage to digital assets, cyber extortion or reputational
– General Liability
• Only covers bodily injury and physical property damage.
• Data deemed by courts to be an intangible form of property.
• Business interruption cover only if arising out of material damage, not if arising out of non-material damage to
• Computer virus and network exposures are typically excluded.
3 / XX
Do I already have some cover for cyber risks under my other insurance policies?
– Computer All Risks
• Only covers costs for repairing damaged hardware (tangible property).
– Crime insurance
• Usually limited coverage for money, securities, or “tangible assets.”
• Must be a “loss” and a “gain” to trigger coverage.
• Identification of perpetrator sometimes required.
• Does not address the business income loss.
4 / XX
75%of companies say IT risks impact customer satisfaction and brand reputation. (IBM data breach Statistics)
38% increase in the number of incidents where personal data was exposed, stolen or lost in 2012 over 2011. (IBM Data
Breach Statistics)
63% of small businesses (fewer than 250 employees) surveyed by the Department for Business Innovation and Skills, had
been hacked by an unauthorised outsider in the preceding 12 months.
87% of they same respondents had experienced a security breach in the past year.
As many as 175 out of 335 data breach incidents investigated by the ICO concerned data being ‘disclosed in error’.(ICO
report on breaches in the first quarter of 2013)
Average cost of a UK data breach according to 2011 Symantec study was £1.75m or £79 per record.
According to the 2013 Cost of a Data Breach Study (Ponemon 2013) the average cost of a data breach per record in 2012
was $136, up $6 from the previous year.
Average number of records breach was 23,647, however Survey does not include organisations have lost more than 100k.
Malicious attacks were the most prevalent cause of data breaches, but only just, responsible for 37%, negligence/human
error was responsible for 35% and system glitches 29% (Ponemon 2013)
5 / XX
On July 1, 2013, the Republic of Croatia joined the European Union, increasing the number of EU Member States to 28. As of
the day of its accession, Croatia must implement the acquis communautaire (the complete body of the EU legislation), which
includes the EU Data Protection Directive 95/46/EC (“Data Protection Directive”).
In 2003, Croatia adopted the Act on Personal Data Protection (the “Act”), which it subsequently amended in 2006, 2008 and
2011. The Act closely tracks the principles of the Data Protection Directive. For example, international data transfers outside
of Croatia are only allowed when an adequate level of protection of personal data is ensured (unless a derogation applies).
Additionally, the Act requires data controllers to maintain records of their processing activities, which must be submitted to
the Personal Data Protection Agency for compilation in a Central Register. This generally corresponds to the notification
obligation under the Data Protection Directive. For certain specified violations, the Act establishes fines in the amount of
HRK 20,000 to 40,000 (approximately €2,700 to €5,400).
In addition, Croatia has enacted several specific laws and regulations. For example, the Electronic Communications Act
implements the e-Privacy Directive 2002/58/EC, as amended by Directive 2009/136/EC, and the Regulation on the
Procedure for Storage and Special Measures Relating to the Technical Protection of Special Categories of Personal Data sets
forth detailed information security measures.
The Croatian Personal Data Protection Agency monitors compliance with the Act on Personal Data Protection.
6 / XX
The purpose of the GDPR is to provide a single law for data protection to cover the whole of the EU, instead of the present
Directive that has ended up being implemented differently in each member state.
Rights for Individuals: The Regulation introduces the “right to be forgotten” which will give an individual the right to contact
an organisation that holds and makes his personal information public and request that it be deleted.
Centralised Data Protection Authority: Following the introduction of the Regulation, organisations that carry on business in
the EU will only have to deal with a single data protection authority in Europe rather than multiple authorities in each
Member State in which it operates
Sanctions of up to 5% of annual turnover or EUR 100m, whichever is greater.
Definition of personal information to be expanded to include things like social media posts and IP addresses.
Mandatory notification to relevant authority of data breaches as well as in some case notification of affected individuals.
Jean Claude Junker, the newly appointed president of the EU commission has said he will make Data Protection Law Reform
a high priority.
It is expected to take two years from being passed before the law finally comes into force. Nothing in the Directive states
that it will definitely take two years, and it could very well be enforced sooner. Current expected date of implementation
7 / XX
Large Data Breach Example
Major US retailer subject of a data breach scandal; that has affected as many as 40m credit cards.
Hackers gained access to retailer’s systems by first hacking its HVAC vendors before using the vendors stolen login
credentials to gain access to the retailer’s network and place malware on point of sale devices.
Despite having relatively sophisticated security in place, the POS malware was able to exist undetected for months.
Breach estimated to have cost the retailer $272m of which $90m recovered through cyber insurance.
Profit down by 44% in the retailers fourth quarter.
8 / XX