PANEL DISCUSSION: Cyber Risk Insurance
PANEL DISCUSSION: Cyber Risk Insurance (Network Security & Privacy Insurance) 19 March 2015 Panelists: Cinzia Altomare, Manager Facultative, Gen Re, Italy Michael Shen, AVP, Liberty Specialty Markets, and the founding member of Cyber Risk and Insurance Forum, Great Britain Ivica Perica, Director at Business Advisory Services Department, Deloitte Adriatics, Croatia Zdenko Adelsberger, consultant for IT security and risks management, Bluefield, Croatia Moderator: Tin Lesić, Executive Director of Development, Aon, Croatia Aon Risk Solutions | Croatia If you can answer all of the following – stop listening… • • • • • • • • • • • How did this happen? Are we sure it has stopped now? What type of information is involved? Where to find a lawyer who is knowledgeable in this area? Can the affected third parties sue and would cyber policy cover legal defense costs? Are cyber risks already covered under our existing insurance policies? Would cyber insurance policy respond if our employee steals information? Is offline data covered by cyber insurance policy as well? Do you notify the media and what are you going to say? Do you offer credit monitoring? Do you need to notify regulators, affected parties, the police, providers/suppliers? Are local or EU laws triggered and how do we comply? Aon Risk Solutions | Croatia Typical misconceptions about cyber risk “We have a firewall, so we are protected.” “We have antimalware protection, so we are not at risk.” “We have the best IT department.” “Why would our organization be a target?” “We don’t have an e-commerce website, so we are not at risk.” “We are compliant with PCI, ISO, etc., so we are not at risk.” “We outsource some of the processes / activities so the vendor will be liable for anything that goes wrong.” Aon Risk Solutions | Croatia Typical misconceptions about cyber risk „Our IT department is managing risk effectively” „Our existing insurance policies typically cover some cyber risk” „We determine coverage needs based on what our peers are doing” „Our data is not a high-risk target for cyber threats” „The cost of cyber insurance exceeds the incident cost” „The financial cost of an incident would not be significant” „Our industry is not at high risk for cyber threats” „We don’t need it – We’re not subject to US style regulation” „I’ve never had a cyber breach so I don’t need this coverage” „We don’t need it – we outsource our security” Aon Risk Solutions | Croatia Notable data breach incidents Date Breach Reported Entity Loss Estimate Records Impact (millions) Jun 2014 NYC Taxi & Limousine Commission Not Known 173M Oct 2013 Adobe Systems, Inc. Not Known 152M May 2014 eBay, Inc. Not Known 145M Jan 2009 Heartland Payments Systems $143M 130M Dec 2013 Target Brands, Inc. $200M 110M Jan 2007 TJX Companies Inc. $256M 94M Jun 2011 Sony $280M 77M Aug 2014 J.P. Morgan Not Known 76M Sep 2014 Home Depot $62M 56M Mar 2012 Global Payments $125M 7M Aon Risk Solutions Aon Risk Solutions 7 Aon Risk Solutions Aon Risk Solutions 9 Before you buy…Risk finance is part of overall risk management program structure Quantification I. Risk & Exposure Assessment II. Scenario Quantification Aon Risk Solutions | Croatia III. Risk Mitigation & Maturity Review IV. Insurable Risk Review Mitigation Qualification What can go wrong? Transfer What is the financial impact? How am I protected? Will my insurance respond? What is Cyber? Online Where Who Malicious Financial Impact Accidental Technology What Crisis Expense Offline Extra Expense Internal Protected Data Media Lost Income External Defence Expense Regulatory Fine Liability Who creates cyber risk? 6% 8% 17% 13% 56% Full Year 2014 Source: datalossdb.org Aon Risk Solutions | Croatia Internal Accidental Internal Malicious External Internal Unknown Unknown How could the Cyber policy respond? 5th March 2015 Breach of point-of-sale credit card systems in the US and Europe Aon Risk Solutions | Croatia How could the Cyber policy respond? 1st January 2015 Aon Risk Solutions | Croatia How could the Cyber policy respond? Aon Risk Solutions | Croatia Insurance Coverage Aon Risk Solutions | Croatia Key features of cyber insurance Aon Risk Solutions | Croatia Use of third parties Aon Risk Solutions | Croatia PPM: Price per Million of Limit Comparative analysis for selected peers: Technology and Communications industry Aon Risk Solutions Per Occurrence Deductible Comparison Comparative analysis for selected peers: Technology and Communications industry Aon Risk Solutions A typical gap-analysis may look like this… Aon Risk Solutions | Croatia Policy limits Comparative analysis for selected peers: Technology and Communications industry Aon Risk Solutions European/London Cyber Insurance Markets Theoretical Capacity* in €MM – Any one Risk Mitsui Brit ACE Munich Re Catlin Aegis Navigators CFC AGM Novae Chaucer AIG Pembroke Chubb AIG Cat xs Principia CNA Allianz QBE Cove Underwriting Amlin Sagicor Endurance ANV Scor HCC Arch Starr HDI Gerling Argo Swiss Re Hiscox Ascent WR Berkley Kiln Aspen XL Lexington AWAC Zurich Liberty Axis Markel Barbican Beazley Marketform Berkshire Hathaway 300 250 200 150 100 50 *Not including new catastrophe capacity available on an excess/DIC basis or from reinsurance markets 0 Cyber Risk Diagnostic Tool www.aoncyberdiagnostic.com Aon Risk Solutions | Croatia Cyber Risk Diagnostic Tool Aon Risk Solutions
© Copyright 2024