ISDC_2015_Philippe Aerni_Cyber Versicherung

Presentation at IS Directors Conference | Interlaken - 18 September 2015 1

Cyber Insurancea time journey, the past, thepresent and a glimpse at thefuture

Presentation IS Directors Forum 2015 –Interlakenby Philippe Aerni & Willy Stössel


Table of Contents

Introduction

Coverage and Services provided

Loss Examples and Scenarios

Underwriting Criteria for Risk Selection

Outlook

Presentation at IS Directors Conference | Interlaken - 18 September 2015

• Swiss Re Corporate Solutions has been underwriting Technology E&O (TMT– Technology, Media & Telecom) since 2001

• Cyber liability extensions and all 1st party extensions have been added overthe years to all Technology E&O policies in the US market

• Swiss Re Corporate Solutions has dedicated Underwriters for this line ofbusiness in

– New York

– London

– Zurich

– Paris

• Swiss Re Corporate Solutions Risk Engineering and Group RiskManagement & Information Security support Underwriters for the riskassessment

Swiss Re Corporate Solutions ApproachUnderwriting Technology E&O and Cyber Insurance

3


(Source: copyright protection may apply, source unknown)

Cyber RisksNightmare or Opportunity?

4


Coverage and Services provided


5 facts about the Cyber insurance market

6

USD 1.5-2b2014 worldwide estimated premium2013: ~ USD 1.2b2012: ~ USD 800m

Competitiveratesas carriers try to defendor gain market share Full limits

available for coverages sub-limited before

Healthcareis the fastest growing Cyberinsurance buying segment

North Americahas the highest demand for Cyber insurance globallyEurope: low-mid demand will be driven by regulation


The Cyber Risk Landscape

7


Insurance Cover LandscapeTraditional Policies vs specific Cyber Policies

Tech, Media &Telecom(E&O) CyberGL

PD/BI &Crime

Libel

Slander

Defamation

* excluded from standard product

8

PD / BIRequires"direct physicalloss” -> notsatisfied

Crime: requiresintent and onlycovers money,securities, andtangibleproperty

IPInfringement

Copyright

Trademark

Patent *

Errors &Omissions

Tech Services

Tech Products

UnintentionalDisclosure

UnintentionalBreach ofPrivacy Policy

Breach ofConfidentiality

Investigationcosts

Notificationcosts

Fines/Penalties

BusinessInterruption

Extortionmoneys

Privacy First PartyMitigationAdvertisementPersonalInjury

Property/Crime

Existing Policy Landscape New Policy Landscape


Cyber insurance

First Party / ISBI* Unauthorized access

Hacking

Virus

Denial of Service

Com

men

tP

rodu

ct The current market offering includes First Party/ISBI, extortion and privacy coverage

Extortion Investigation costs

Extortion of monies due tocredible threat e.g., introductionof malicious code

Privacy Unintentional disclosure

Breach of confidentiality

Business Interruption orloss of data due to a generalmalicious attack (e.g., genericvirus: love bug virus)

Contingent BusinessInterruption due to lack ofinternet connectivity causedby IT failure at providers'location

Costs for reinstatement ofdata

Investigation costs todetermine cause of securityfailure

Covers the monies paid bythe insured as a result of acredible threat/series ofrelated threats directed atthe Insured

e.g., to corrupt, damage ordestroy the Insured'scomputer system, or to restrictor hinder access to theInsured's computer system

e.g., to release, divulge,disseminate, destroy or useconfidential informationstored in the Insured'scomputer system

Liability: the defence andsettlement costs for theliability of the insured arisingout of its failure to adequatelyprotect its private data

Remediation: the responsecosts following a data breach,including investigation, publicrelations, customernotification and creditmonitoring

Fines and/or penalties: thecosts to defend, settle finesand penalties that may beassessed by the regulator

Current market offering

*Stand-alone property/extensions to property


1Bodily injury/ Property damage Current cover extends to economic loss only following a cyber event Clear differentiation to existing PD/BI products (Property/Casualty) New: AIG offers this coverage as a DIC/DIL coverage sitting excess of scheduled

policies

2 Patent Infringement plus theft of trade secrets Undesired and hard to insure/quantify coverage

3 Fines & Penalties Other than Data Protection fines following a breach

4War, invasion, act of foreign enemy, hostilities or war-like operations(whether declared or not), civil war, mutiny, civil commotion Coverage is provided for act of cyber terrorism

5 Any seizure, confiscation, nationalization or destruction of a ComputerSystem or electronic data by order of any governmental or public authority

6 Force Majeure Earthquake, volcanic eruption, tidal waves etc

Overview of major market exclusions


• Traditional insurance policies provide limited coverage only for cyberattacks:

Gaps in existing traditional policies

11


Breachnotification /consultation

Forensics Breachconsultation

Notificationdesign

Publicrelations

First point of contactwill be Swiss Re andour external "DataBreach Counsel." Thiswill be coordinatedthrough NetDiligenceplatform

Five hour initialconsultation fromData Breach counsel

Facts gathered willallow Swiss Re assessif true breach hasoccurred

Without first point ofcontact materials maybe discoverable

Retention ofForensicservices:

To contain thebreach

To understandthe scope andbreadth ofbreach

Review of forensicmaterials

When and whereare breachnotificationsrequired?

What is thepotential forregulatory fines orpenalties?

What is thepotential for legalaction?

What are the nextsteps?

Craft letter toAttorneys Generaland other stateand federalagencies

Craft letters to besent to affectedparties

Craft speech andflow chart for callcenters andpotential creditmonitoringcompanies

Engage publicrelations and crisismanagementexperts to workwith Swiss ReClaims and DataBreach Counselduring course ofbreach

Post-breach services to be delivered by a PrimaryInsurance Carrier

Cyber breach response – process overview and key considerations


Potential Risk Event Likelihood Potential impact

Website/copyright /trademark infringementclaims

Low Low

Legal Liability to other for computer securitybreaches

Low – Medium Medium

Legal Liability to others for privacy breaches Low – Medium Medium

Privacy breach notification costs & creditmonitoring

Low – Medium Medium

Privacy regulatory action defense and fines Low Medium

Costs to repair damage to your informationassets

Low Medium

Loss of revenue due to a failure of security at adependent technology provider

Low Medium

Cyber Extortion threat Low Medium

Loss of revenue resulting from non-physicalbusiness interruption

Low – Medium High

Risk identification – Europe

13


Loss Examples

Examples of large losses US and not only in the USSecurity Breaches / Data Breaches – type of losses


Centcom Twitter YoutubeBreach

Anthem BC/BS Nr 2 Healthcare insurer in the US 50 million PII records breached Excess of 80 m records stolen Notification costs will hit the

existing cyber tower: USD 100m -for at least USD 120m

[Jan 2015]

Recent examples of data-loss incidents

Twitter & YouTube accounts hackedand pro-ISIS content uploaded[Jan 2015]

Morgan StanleyInsider attack compromising 3.5m customeraccounts[Dec 2014]

Sony PSN/Microsoft Xbox LiveNetworkDOS attack by hacker group (Lizardsquad) shut down service aroundXmas holidays[Dec 2014]

Sony has booked USD 171m in data breach direct costs to date* Target has incurred USD 178m in breach related expenses as of Nov 2014** Heartland payment systems paid USD 150m in fines and legal costs from

breach and suffered damage to its reputation as a payment processor ***

* PropertyCasualty360 ** New York Times *** The Wall Street Journal


Korea's financial regulators are coming down hard on three credit card companies whose customer data was stolen in the largest personal information

leak in the country's history. The Financial Services Commission and the Financial Supervisory Service will suspend the business operations of KBKookmin Card, NH Nonghyup Card and Lotte Card for three months starting February 17th 2014. Under the terms of the suspension, the companies will be banned fromtaking on new customers, issuing card loans or processing cash advances. Existing customers, however, will not be affected as the suspension does not ban the firms from

providing financial services to them. .. Last month's leak, which affected at least 20 million people, sparked concerns the data could

have ended up in the hands of scammers. The estimated compensation for mental damage caused to customers is expected to reach nearly $160 Mio. As

another part of the punishment, the CEOs of the three firms are to face punishment depending on their accountability. source:…...Connie Kim, Arirang News.

DigiNotar (September 2011), was a Dutch certificate authority, after it had become clear that asecurity breach had resulted in the fraudulent issuing of certificates, the Dutch government tookover operational management of DigiNotar's systems. The company was declared bankrupt.

Cyberattacks on critical infrastructure are a reality and they're becoming more frequent. An ITsecurity report for 2014 published by Germany's Federal Office for Information Security (BSI) …incident that caused physical damage to a facility. …An attack launched by an advanced persistentthreat (APT) group against an unnamed steel plant in Germany resulted in significant damage,according a new report.

Areva – Theft of IP, alleged state sponsored attack

Orange France: hacked twice in 2014, release of 1 mil plus customer data.

Security Breaches / Data BreachNot only US losses (source: various articles)

16


Underwriting Criteria for RiskSelection


Are you ready to respond to breaches?

Are breach responseprocedures set up?

Are roles andresponsibilities assigned?

Are monitoring anddetection measures inplace?

Are immediate measuresinstituted to protect data?

Are investigationresources available toanalyse breaches?

Are response andnotification measuresestablished?

Are communicationprocesses established?


Swiss Re Corso: IBM and Swiss Re teaming up tooffer cyber risk protection services for commercialcustomers

19

Swiss Re’s Business Challenge• Entering new market – wanted to partner with experienced cyber security experts• Focus enterprises, across the globe for four types of exposures: computer viruses, hacking, Distributed Denial of

Service or malware

Joint Approach

• Comprehensive supportprovided by a trustedpartner: from training andcyber education throughsecurity risk assessmentsand vulnerability scans tocyber claims assistance

Swiss Re`s Benefits• Immediate access to world class

expertise and experience of the globalsecurity leader – attractive valueproposition to prospective customers

• Integration of cyber assessmentsand claims handling into overallSwiss Re`s business processes– leverage of best practices

Swiss Re

IBM Applicant


IBM Cyber Security - Global reach and capabilitieswith local presence

20


Outlook


Driving Factors for Cyber InsuranceA Constantly Changing World

22

NewTechnology

LegalEnvironment

Accumulationissues

Supply Chain

M&AGrowthPlans

Complexity

CloudComputing

"underestimated"small exposure

Connectivity

KnownVulnerabilitiesAwareness &

Litigationapproach

BusinessStrategy

HackerFocus

Company X

Standardization


• North America– Canada– Mexico– United States (different

legislation applies for certainindustries and notification

required in > 46 states)• Central & South America

– Argentina– Brazil (Pending)– Chile– Colombia– Costa Rica– Ecuador (Pending)– Paraguay– Peru– Uruguay

• Middle East– Israel– UAE (DIFC)

Countries with Privacy/Data Protection Laws

Africa– South Africa– Tunisia

Asia-Pacific– Australia– China (draft privacy

guidelines)– Hong Kong– India (privacy rules explained)– Japan– Malaysia– New Zealand– Philippines– Singapore– South Korea– Taiwan– Thailand– Vietnam

Europe– 27 EU Member States +– Norway– Russia– Serbia– Switzerland– Turkey (Pending)– Ukraine

EU Data Protection reform –(Regulation):revised version going to parliamentafter 21.10.2013 committee review,fines of up to EUR 100 Mio or 5% ofannual worldwide turnover,whichever is greaterUpdate: Discussions also impactedby TTIP, heavily delayed

There are 105 countries with existing or pending privacy or data protection legislation



Legal notice

25

©2015 Swiss Re. All rights reserved. You are not permitted to create any modificationsor derivative works of this presentation or to use it for commercial or other public purposeswithout the prior written permission of Swiss Re.

The information and opinions contained in the presentation are provided as at the date ofthe presentation and are subject to change without notice. Although the information usedwas taken from reliable sources, Swiss Re does not accept any responsibility for the accuracyor comprehensiveness of the details given. All liability for the accuracy and completenessthereof or for any damage or loss resulting from the use of the information contained in thispresentation is expressly excluded. Under no circumstances shall Swiss Re or its Groupcompanies be liable for any financial or consequential loss relating to this presentation.