Cyber Risk The Risk no business can ignore

0
Cyber Risk Presentation
Agenda
Primarily for the Sales and the FSPG teams to understand what are cyber security attacks, breaches,
liabilities and first party losses, and to understand and be able to explain the coverages in a cyber security
policy.
Basically we will focus on :
The meaning of a cyber attack
How serious is the risk ?
What types of Organizations are exposed to the risk ?
What are the consequences and other implications of Cyber Crime that victims suffer besides just
1st party financial Loss ?
Is Coverage available ?
Why should you incept a separate cyber risk policy ?
What are the typical coverages available ?
How can Aon help you ?
Any Questions ?
1
The meaning of a cyber attack
Cyber attack means unauthorised access, unauthorised use or transmission of a computer virus which
alters, copies, misappropriates, corrupts, destroys, disrupts, deletes or damages the organisation s
computer system causing losses to the victim organisation and/ or may result in Failure of Security or
Denial of Service.
What is Denial of Service ? Denial of service means the inability of a third party, who is authorised to do
so, to gain access to the organisation s computer system through the internet in a manner in which the third
party is legally entitled.
What is failure of Security ? Failure of security means failure of the organisations hardware, software or
firmware (including firewalls, filters, DMZs, computer virus protection software, intrusion deletion or theft and
the electronic use of passwords or access codes or similar identification of authorised users) whose purpose
is to prevent a computer attack, unauthorised access, unauthorised use and/or disclosure of confidential or
private information and/or the transmission of a computer virus into or from the Organisations computer
system to actually prevent any of the foregoing events.
Cyber-attack means the transmission of fraudulent or unauthorized Data that is designed to modify,
alter, damage, destroy, delete, record or transmit information within a System without authorization,
including Data that is self-replicating or self-propagating and is designed to contaminate other
computer programs or legitimate computer Data, consume computer resources or in some fashion
usurp the normal operation of a System.
2
How serious is the risk ?
Recently :
In early August 2011, Hong Kong Stock Exchange forced trading suspension in eight listed companies
following cyber attacks by hackers
Apple has faced several lawsuits from IPhone users over Privacy concerns following claims that some
IPhone applications share users personal information with advertisers
Sony Computer Entertainment America reported a security breach of its Playstation Network by hackers who
gained unauthorised access to personal information on some 100+ million subscribers which resulted in a
security information so broad that it not only entailed in Sony incurring business losses because it had to
suspend operations but also lay Sony exposed to multiple class action lawsuits. Early estimates are putting
the losses at US $ 2bn.
The PM of Singapore announces the setting up of National Cyber Security Centre which will boost the
national capability of Singapore to counter cyber security threats. In his own words Singapore is a highly
networked government and this itself has created a very significant vulnerability to cyber attacks
3
How serious is the risk ?
The fact of the matter is that
Over the last 5 years , 79% -83% organisations have experienced a breach.
Over the last 5 years, there have been 2,807 publicly disclosed data breaches worldwide resulting in
damages exceeding US $ 139 bn . (Source :Digital Forensics Association USA)
In 2010 alone, some 16 million confidential records were exposed through more than 662 reported
security breaches,(Source Identity Theft Resource Center USA). A March 2011 Ponemon Institute
benchmark study, U.S. Cost of a Data Breach, found that the annualized cost from the attacks had an
average cost of $7.2 million with the average cost per compromised record in 2010 reaching $214, up 5%
from 2009.
Leading insurers are reporting an increased activity in privacy breaches Last year, privacy breaches ran
about 1-2 per week, this year, it is more like 6-8 per week. (Beazley Syndicate)
These have been all pervasive and governments, large consulting and accounting organisations (PWC,
Deloitte, E & Y, KPMG, Accenture, Aon Consulting, Mercer EDS .) hospitals, schools have all reported
cyber security threats/attacks leaving them vulnerable to difficult-to-insure damages, such as lost future
business and reputation, to insurable damages such as customer class action litigation, notification
costs, and credit card issuer cancellation and reissuance costs.
4
How serious is the risk ?
What does it mean in terms of monetary losses ?
For large organizations, the average total cost per breach is estimated at USD 6.75M per incident, an
increase from $6.6M, $6.3M & $4.8M in 2009, 2008, and 2007.
The cost to resolve a breach ranged from $750,000 to $31,000,000, and the number of records breached
ranged from 5,000 to 101,000.
The average cost per compromised record was $204, an increase from $202, $197, and $182 in 2009, 2008,
and 2007.
Data breaches experienced by first timers are more expensive than those encountered by organizations that
have had previous data breaches ($198 vs. $228).
From an insurance standpoint, Aon benchmarking indicates that approximately 80 percent of reported
breaches result in total defense and indemnity costs of less than $1 million, approximately 15 percent result in
insurable damages between $1 million and $20 million, and approximately five percent result in total costs
above $20 million.
5
Cyber security breaches are now a painful reality for organizations of all kinds, at all levels and it now is
identified as a top 10 risk for companies.
What types of Organizations are exposed to the risk ?
All organisations whose data is stored/transmitted in, and business is conducted through, hardware and
software systems including computers and servers, data centres ,mobile devices (blackberrys,
laptops,VOIP),third party IT vendors.
All organisations that are highly networked and whose core activities depend on the computer systems to
conduct their day to day operations. e.g Financial Institutions like the Banks, Stock Exchanges, Insurance
Companies and almost any other type of large organisations including Government departments, etc.
All organisations who hold proprietary and confidential data of various people . These would include the
following types of data :
PII (Personally Identifiable Information) Banks, Insurance companies (all Financial companies, and
government departments)
PHI (Personal Health Information).
Credit Cards and other financial information - All companies who engage in e-commerce are highly
vulnerable to this risk.
All High profile companies are exposed to increased risks of cyber extortion and e-theft.
All IT companies who render professional services for design and maintenance of the IT systems of the
above companies and are custodians of the above data bases by virtue of their service agreements.
6
What types of Organizations are exposed to the risk ?
7
Consequences and other implications of Cyber Attacks
Cyber attacks could lead to property loss (including laptops), disclosure of confidential data ( data pertaining to
clients, the companys own financial and other confidential data, sensitive HR data relating to Employees)
corruption or loss of an organisations systems or data, corruption or loss of third party systems or data
thereby resulting in :
Suspension of activities leading to Business Interruption losses (besides direct property losses !)
Drop in the Stock Price
Regulatory Fines and Penalties and increased supervision from Government authorities thereafter.
Notification expenses
Significant other costs such as Forensics costs (to investigate the Security breach) PR costs , Crisis
communication costs and consultancy costs.
Multiple class action law suits from people affected by the privacy breach leading to higher legal and defense
costs and ultimately settlements.
The biggest cost so far is the liability to banks that must cancel and reissue credit and debit cards.
Once a breach occurs, the breached entity faces embarrassment and public relations nightmares, loss
of business, litigation and liability, investigations by regulators and government agencies, and
significant expenses.
8
Consequences and other implications of Cyber Attacks
9
Is Coverage available ?
Cyber Risks Coverage may be generally available under these broad categories
10
Property
Denial of web
services
Business
Interruption
E-theft or theft of
data
Liability
Defence and
settlement costs
for the liability of
the insured arising
out of its failure to
properly care for
private data
Remediation
Response costs
following a data
breach, including
investigation, public
relations, customer
notification, and credit
monitoring
Fines & Penalties
The costs to investigate,
defend, and settle fines and
penalties that may be
assessed by a regulator most
carriers do not provide this
coverage, although there can
be coverage for defense costs.
Why should you incept a separate cyber risk policy ?
Traditional Policies are not transitioned to the digital world and therefore are not adapted to cover the peculiar
losses that arise from cyber risks.
Material gaps often observed in the traditional policies are :
General Liability covers bodily injury and property damage not economic losses.
E & O policies provide for economic damages resulting from a failure of defined services ONLY, and often
contain exclusions for data and privacy breaches. The E & O policies are not designed to cover:
Business interruption
Property damage
Costs/Losses associated with internal systems problems and loss of the organisations related
data/employee data
Property Insurance covers tangible property data is not tangible property. Loss must be caused by a
physical peril perils to data are viruses and hackers.
Traditional Fidelity policies only cover employees and only cover money, security and tangible property
internal systems are exposed to the world at large and data is not tangible. No coverage for third party
property data. Also they all require intention to make personal gain, sometimes identification and prosecution
of the perpetrator all of which are difficult in the cyber world.
11
What are the typical coverages available ?
FIRST PARTY COVERAGE (triggered by
discovery of an incident)
Privacy Event Expenses (usually sub-
limited)
Cyber Extortion
Business Interruption
Digital Asset Protection
12
THIRD PARTY LIABILITY (triggered by a claim)
Security Liability
Privacy Liability
Privacy Regulatory Proceedings (usually sub-limited)
Website Media Liability:
What are the typical coverages available ?
FIRST PARTY COVERAGE (triggered by discovery of an incident)
Privacy Event Expenses (usually sub-limited): Coverage for your fees and expenses due to a potential or
actual violation of a privacy regulation. Covered expenses can include computer forensics expenses, costs
for a public relations firm and related advertising to restore your reputation, notification expenses and credit
monitoring services.
Cyber Extortion: Coverage for the investigation and settlement of a cyber-extortion threat against you.
Business Interruption: Coverage that protects your income in the wake of a computer attack. Coverage also
includes dependent business interruption. There is a waiting period retention of between 6 to 24 hours.
Digital Asset Protection: Coverage for costs incurred to restore or recollect digit assets (software and data)
that are corrupted, destroyed or deleted due to a covered computer attack.
13
What are the typical coverages available ?
THIRD PARTY LIABILITY (triggered by a claim) may sometimes be covered by suitable extensions to
the E & O/PII programme of the Insured organisation.
Security Liability: Coverage for defense costs and damages the insured is legally obligated to pay resulting
from a failure of computer security, including liability caused by theft or disclosure of confidential information,
unauthorized access, unauthorized use, denial of service attack or transmission of a computer virus.
Privacy Liability: Coverage for defense costs and damages suffered by others for any failure to protect
personally identifiable or confidential corporate information, whether or not due to a failure of network
security. Includes unintentional violations of your privacy policy and misappropriation that results in identity
theft.
Privacy Regulatory Proceedings (usually sub-limited): Coverage for defense costs for proceedings
brought by a governmental agency in connection with a failure to protect private information. Insuring
agreement may include coverage for fines and penalties to the extent insurable by law. Coverage for
damages, i.e.amounts the insured is required by settlement to deposit into a consumer redress fund, may be
covered depending on the insurer.
Website Media Liability: Coverage for defense costs and damages suffered by others for content-based
injuries such as libel, slander, defamation, copyright, title trademark infringement, or invasion of privacy with
respect to creation and dissemination of your content on your website including advertising.
14
How can Aon Global help you ?
Aon delves deep into the following exposures to customise
policy terms and does a detailed analysis of coverage
strengths, weaknesses and gaps to arrive at bespoke
insurance.
How can Aon Global help you ?
Diverse backgrounds in law, consulting services, technology, intellectual property and insurance
Marketplace differentiator for convergent risks with components of Errors & Omissions Liability, Media
Liability, Network Security & Privacy Liability,and Intellectual Property Infringement fundamentally changed
industry
Legal expertise leads to expert policy customization, contract reviews and claim advocacy
Claims experts manage carrier relationships and advocate to get your claim paid
Unparalleled understanding of evolving professional liability and privacy exposures
Team members collaborate and share expertise in a geographically aligned model, with colleagues on the
ground in San Francisco, Denver, Chicago, Philadelphia, London and Singapore.
16