Cyber Insurance From a
Quantum Perspective
Speakers
Flemming Jensen – MDD Forensic Accountants
Steve Rosenthal – RGL Forensics
1
2
Overview
1.
2.
3.
4.
5.
6.
7.
Introduction
What is Cyber Insurance and Cyber Business Risks
First Party Cyber Insurance Cover
Cyber Business Interruption Wordings
Calculating Cyber Loss of Profits
Case Studies
Q&A
3
Top Business Risks Worldwide
Source: Allianz Risk Barometer 2015
In 2015 Cyber Risk Ranks 5th on the
List of Top Business Risks
Source: Allianz Risk Barometer 2015
Cyber Risk is Rising for Business
6
Cyber in the News •
•
•
•
•
•
•
Five out of six large companies were targeted by cyber criminals in 2014, a 40%
increase over 2013.
“In 2015 we fully expect a business to fail due to the financial consequences of a
cyber attack” – Joe Hancock for AEGIS.
“Cyber Risk poses the most serious threat to businesses and national economies” –
Inga Beale, CEO of Lloyd’s
The cyber insurance market has seen a 50% year-on-year increase in the insurance
submissions for the first three months of 2015.
Distributed denial-of service (DDoS) attacks cause losses of $150,000 per hour.
Only 2% of large UK firms have cyber insurance; 50% of Risk Managers didn’t’ know
cyber insurance existed.
The biggest concern is damage to reputation and loss of customer trust.
7
What is a Cyber Attack?
•
Cyber attack is an attempt by unauthorized individuals to damage, destroy or
compromise a computer network or system including unauthorized theft or usage of
stolen data.
•
•
•
•
•
By Who?
Human Error
Insider
External – Criminals, Foreign Governments or cyber terrorists
Extortion
8
Interesting Cyber Facts
9
Interesting Cyber Facts
Which Cyber risks are the main cause of
economic loss?
Loss of reputation
61%
Business interruptions
49%
Loss of customer data
45%
10
Cost of Data Breaches
Cyber in the Headlines
•
•
•
•
•
•
TV5Monde (French Television Network)
– Disruption of 11 TV channel broadcasts for several hours due to a hack attack – April 2015
– Hack of the company’s website and social media accounts
Mandarin Oriental (Hotel Chain)
– Credit card records in EU and US exposed – March 2015
British Airways
– Frequent flyer accounts hacked – March 2015
Anthem (Health Insurer)
– 80m records of current and former customers exposed – February 2015
– Potential damage control cost of more than $100 million
Bitstamp (Bitcoin Exchange)
– $5 million in virtual currency stolen – January 2015
– Trades temporarily suspended, user accounts frozen and deposits blocked
Premera Blue Cross (Health Insurer)
– Potentially exposed personal details, social security numbers, bank account details
– Discovered in January 2015
– Currently investigating with FBI and cybersecurity firms
Cyber in the Headlines
•
•
•
•
•
•
Sony Pictures
– 200 gigabytes of internal data such as emails and salary information leaked – November 2014
– Estimated damage of $15 million
Staples (Retailer)
– 1 million credit card details stolen – October 2014
Target:
– 70m records exposed in Q4 2013
– Loss estimated at $148m with insured losses estimated at $38m
Home Depot
– 56 million records exposed in Q3 2014
– Loss estimated at $62m with insured losses estimated at $27m
JP Morgan
– 83 million records exposed in October 2014
Marsh estimate that cybercrime costs global economy $445billion each year
What is Cyber Insurance?
Cyber insurance covers the losses relating to damage to, or loss of
information from, IT systems and networks due to a cyber attack.
Cyber-insurance is an insurance product used to protect businesses
and individual users from Internet-based risks, and more generally from
risks relating to information technology infrastructure and activities.
14
What is a Cyber Loss?
•
•
•
No damage in the physical sense
Not typically covered under traditional business insurance policies
Requires taking out a cyber risk insurance policy
15
Market Outlook 2015
Source: UK Cyber Security Report (March 2015)
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/415354/UK_Cyber_Security_Report_Final.pdf
Cyber Insurance Market
•
•
•
•
Global:
– 2014: Premiums estimated to have reached $2.4 billion (an increase of 50% compared to 2013)
US:
– 2013: $1 – 1.3 billion in gross written premium
– 2014: $2 billion gross written premium
– 2015: Expected to exceed $2 billion in gross written premium
– Typical US premium of $100,000-$300,000 would buy $10million cyber cover
Europe:
– Currently $150 million
– Increasing from anywhere between 50% and 100% each year
– Growth in European market will be influenced by EU Cybersecurity Directive
UK:
– London currently represents $225 million in premiums - 10% of the global market
– Most of the premiums come from the US
– Lloyds reported a 50% growth in insurance submissions in Q1 2015 compared Q1 2014
– Typical UK premium of £150,000 would buy £10million cyber cover
– Premium influenced by extent of exposure in the US
Typical Premiums for Cyber
Insurance in the US
Source: Deloitte
Cyber Insurance Premiums
Source: Cyber Risk Network
http://www.cyberrisknetwork.com/2015/01/15/advisen-insight-cyber-insurance-market-update/
What Are Cyber Risks?
•
First Party Risks:
– Loss or damage to digital assets (data or software)
– Direct financial loss
•
•
Theft of money through electronic theft
Cyber extortion (threatening damage if money not paid)
–
–
–
–
Theft of intellectual property / commercially sensitive information
Business disruption / interruption from network downtime
Investigation / Response costs
Customer notification expenses when there is a legal or regulatory requirement
to notify them of a security or privacy breach
– Reputational damage arising from a breach of data that results in loss of
customers
20
What Are Cyber Risks?
•
Third Party Risks
– Security and privacy breaches, and the investigation, defence costs and civil
damages associated with them
– Multi-media liability, to cover investigation, defence costs and civil damages
arising from defamation, breach of privacy or negligence in publication in
electronic or print media
– Loss of third party data, including payment of compensation to customers for
denial of access, DDoS (distributed denial of service) and failure of software or
systems
21
Cyber Risk Policies
All policies are different but typically include cover for a range of First Party risk
exposures and Third Party liability exposures.
Examples of First Party Risks Covered
1. Loss or Damage to Digital / Data Assets
2. Business Interruption from Network Downtime – resulting in loss of income,
increased cost of operation and/or cost being incurred in mitigating the loss
3. Restoration Costs
4. Cyber Extortion
5. Reputational Damage – Crisis Management / PR Costs
6. Theft of Money and Digital Assets
22
Cyber Risk Policies
Examples of Third Party Risks Covered
1.
2.
3.
4.
5.
6.
7.
Security and Privacy Breaches
Investigation of Privacy Breach
Customer Notification Expenses
Multi-media Liability
Loss of Third Party Data
Regulatory Fines and Penalties
Data Warehouse Breach
23
Cyber Risk Policies
•
Policies Vary Widely as to:
– Policy Triggers
– Sub-limits
– Retentions
– Waiting Periods
– Definitions and valuation terms
•
No such thing as “Standard Policy Cover”
24
Comparison of Traditional and
Cyber Insurance Policies
Source: Deloitte
Purpose of Business
Interruption Insurance
“To put the Insured back into the same financial position they would
have been in, but for the incident – subject to the policy wording”
26
Property Damage &
Cyber Example Wording
•
•
•
•
•
Trigger for a loss is an insured event
Property Damage: “Direct physical loss or destruction of or damage to the Insured
property”
Interruption defined as:
– Suspension of the service provided by the Company’s Computer System solely
caused by a Security Failure; or
– Inability of the Company to access Data due to such Data being deleted,
damaged, corrupted, altered or lost but only where such deletion, damage,
corruption, alteration or loss is solely caused by a Security Failure
Maximum indemnity period includes:
– Period from end of Waiting Period until Interruption resolved, subject to 120 day
limit
– Further 90 days from resolution of Interruption
Measurement of loss of profits identical between Property & Cyber wordings
27
Defining Loss of Profits in Cyber
Claims – Specimen Clauses
First Party Business Interruption
To indemnify the Named Insured for:
Business Interruption Loss, in excess of the applicable Retention, incurred by the
Insured Organization during the Period of Restoration or the Extended Interruption
Period (if applicable) as a direct result of the actual and necessary interruption or
suspension of Computer Systems that first takes place during the Policy Period and is
directly caused by a failure of Computer Security to prevent a Security Breach; provided
that such Security Breach must first take place on or after the Retroactive Date and
before the end of the Policy Period.
Business Interruption Loss incurred by the Insured due to a Business Interruption within
the Indemnity Period as a direct result of the total or partial inavailability of the Company’s
Computer System first Discovered during the Period of Insurance which is caused by a
Business Interruption Event and which exceeds the Waiting Period;
28
Defining Loss of Profits in Cyber
Claims – Specimen Clauses
Business Interruption Loss:
• Reduction in net profit attributable to a loss of revenue arising from the incident
• Continuing operating expenses
• Increased costs of working solely incurred as a consequence of the incident to reduce
the:
– Length of the period of interruption; and/or
– Loss of profit arising from the incident
Business Interruption Loss usually includes:
(a) the reduction in net profits;
(b) fixed operating expenses that continue to be incurred; and
(c) Extra / Additional Expenses.
29
Cyber Business Interruption Losses
– Issues and Considerations
•
The concept of BI following cyber crime is inherently the same as BI after physical
damage to property.
•
Property policy wordings have been around for decades and wordings are
understood, despite the odd disagreement!
•
Cyber policy BI wordings appear to try and achieve the same result but wordings are
different – this could lead to frequent disputes.
•
Perhaps market will align with property wordings over time?
30
Cyber Business Interruption Losses
– Issues and Considerations
-
Interruption / Indemnity Period – mostly defined as from date when attack or damage
occurred until date when service is resumed (i.e. damage is repaired) – similar to US
property wordings, or until some maximum date – similar to UK wordings.
-
Some US policies have option to of Extended Interruption Period until business
recovered but often limited in time period.
-
When did the attack occur and impairment begin?
- Waiting Period ? Minutes ? Hours
-
Is impact still ongoing or has it ended? May not be clear.
-
All losses may not flow from the event – direct linkage of lost revenues should tie to
the event / specific attack
31
Cyber Business Interruption Losses
– Issues and Considerations
-
Some policies refer to historic periods whereas others incorporate what is commonly
referred to as the ‘trend clause’.
-
Impact on Revenue/Sales – Need to establish a baseline or standard (what would
have been achieved but for the event)
-
-
Benefit of a cyber environment is the availability of data!
-
Disadvantage of a cyber environment is the possible lack of history and trend
Potential Recovery or Make-Up Sales – some policies have clauses that provide for
credit if sales are conducted ‘elsewhere’ or ‘by other means’
32
Cyber Business Interruption Losses
– Issues and Considerations
-
Non-Continuing Expenses – instead of insuring loss of gross profit with a savings
clause (like conventional BI wordings), most cyber policies insure net profit and fixed
expenses, but only to the extent the fixed costs “must necessarily continue”.
-
How will “must necessarily continue” be interpreted?
-
Causation – when assessing ongoing losses after service is resumed, will insurers
seek to distinguish between the interruption of service and loss of trust by customers
in terms of coverage?
33
Policy Trigger – What is Loss or
Damage?
•
•
•
•
•
•
•
Security failure resulting in…..
Hardware damage?
Software alteration?
– Added malicious content
– User data and/or databases
– Is this damage?
Whose damage or interruption?
– Insured’s own computer equipment, suppliers
Caused by who?
– Rogue employee (s), cyber-crook, errors by staff, independent contractors,
outsourcers?
Does the incident constitute direct damage?
Forensic investigation required
34
Cyber Business Interruption Losses
– Extra / Other Expenses
•
Similar to traditional Business Interruption losses, the insured would typically incur
reasonable and necessary expenses during the period of restoration to minimize or
avoid a partial or total interruption in services as a result of a covered loss, including
renting/leasing of external equipment, additional staff or labor costs, etc.
•
Examples of possibly quantifiable costs:
– Investigation Costs
– Restoration Costs
– Work-arounds, short term services
– Remediation and Prevention Costs
– Cyber Extortion
– Reputational Damage
– Consumer Notification Expenses
– Regulatory fines and penalties
35
Cyber Business Interruption Losses
– Extra Expense – (I of II)
-
Most policies refer to Extra / Additional Expense – wording requires the costs to be
economic – ‘spend a dollar to save a dollar’
-
Extra Expense – are these costs being segregated by the Insured? May not be
straightforward to identify as being over and above normal business.
-
Expenses to improve digital systems are usually excluded. The line between
investigation and improvement can be less than clear but quite crucial. The area of
vulnerability may need to be corrected but it is an area that seems to be beyond the
coverage currently available.
-
Use of Internal Resources – in an effort to resume business
36
Cyber Business Interruption Losses
– Extra Expense – (II of II)
-
Speed is of the essence and the Insured is likely to deploy substantial
internal manpower resources to rectify the damage, protect the reputation
etc. Not necessarily an increased cost to the business but a burden on the
business nonetheless.
37
Additional Expenses
•
Database Restoration or Replacement (sometimes falls under separate cover e.g.
Restoration Costs)
– Reconstitute Database
– Install and reload servers
– Relocate operations
– Redirect DNS
•
To Achieve Make up Sales
– Purchased services from competitors
– Websites and domains purchased and developed
– Redirecting DNS submissions
38
Redirecting DNS
•
DNS (Dynamic Name Service)
•
“phone book” for the internet
•
DNS translates human recognized names into IP addresses
•
Change DNS for the domain through registrar. (examples GoDaddy, Network
Solutions) Will result in domain located in new destination and new information
•
Process can take 24-48 hours… 0r 5 minutes !!!
39
Role of the Forensic Accountant
•
Forensic Accountants can assist insurers in the measurement of the loss.
•
The principles are very similar to traditional Business Interruption losses.
•
Independent forensic accounting firms have the depth of resource and experience to
handle large volumes of data and ensure the loss is measured in accordance with the
terms of the policy.
•
The forensic accountant will work as part of the team – with claims handlers, IT
analysts, lawyers and adjusters.
40
Case Study 1: Background
•
Manufacturer of high end consumer electronic products
•
Insured operates production sites in Malaysia, Brazil and Romania
•
Hackers gain access to IT control equipment for Romanian production line:
– Insured denied access to IT equipment that controls production machinery
– Hackers upload malware onto production network
– Production stopped for period of several days
41
Case Study 1: What are the Issues?
•
Length of time required to:
– Regain control of the network and machinery
– Repair hacker’s point of entry and remove malware
– Restart production
– Return production to pre-incident volumes
•
Can production scheduling or location be amended to minimise sales losses?
•
Has their been an actual loss of sales or has lost production simply been made up
•
Concerns over risk of similar attack at other sites
42
Case Study 1: Measuring the Loss
•
•
•
Does loss of production cause a loss of sales?
– Review pre and post incident production volumes at all relevant locations
– Establish extent of production spare capacity, if any
– Consider how stock volumes have been utilised
– Analyse pre and post incident sales volumes for products manufactured on
affected line
– Review sales trends and market data for the relevant product
Increased costs of working:
– Overtime at incident and alternative locations during and after end of repair
period
– Airfreight costs for raw materials and finished goods
– Outsourcing costs
– Assess whether costs claimed for improved network security
Savings may occur in shutdown period – e.g. energy, maintenance
43
Case Study 2: Background
•
Online retailer selling branded fashion products
•
Hackers gain access to network infrastructure, including sales system and web
server:
– Consumer names, addresses and credit card data stolen
– Website inaccessible to customers for period of 48 hours while evidence is
collated
•
Cyber attack widely reported in mainstream media
44
Case Study 2: What are the Issues?
•
Length of time required to:
–
–
–
–
•
Regain control of the network
Repair hacker’s point of entry and remove malware
Change login credentials for affected customers
Return website to normal operations
Impact of incident on consumer confidence and potential for reputational
losses
45
Case Study 2: Measuring the Loss
•
Has incident reduced consumer use of site?
–
–
–
–
–
•
Increased costs of working:
–
–
–
•
Review pre and post incident site visit count data
Determine extent of any changes in search engine rankings
Assess pre-incident linkage between site visits and sales
Establish extent of reduction in sales attributable to reduction in traffic
Establish extent of any make-up in sales after normal operations resume
Post incident advertising to address consumer confidence and to increase site visits
Promotional campaigns with existing customer base
Discounts and promotional offers to increase post incident sales
Will reduction in consumer confidence cause a loss of revenue after the end of the
maximum indemnity period?
46
Case Study 3: Background
•
Hospital providing private medical services to health care insurers
•
Hackers gain access to Insured’s network:
– Insured denied access to all patient records
– Hackers upload malware onto network and demand ransom for Insured to regain
access
•
Forensic investigators and security consultants advise Insured not to pay ransom
•
Insured elects to reconstruct patient data from backups onto replacement network
47
Case Study 3: What Are the Issues?
•
Date of last complete backup pre-incident
•
Length of time required to:
– Obtain and install replacement server
– Restore patient data from backup
– Reconstruct changes to data that occurred between date of last complete backup
and incident
•
Ability of Insured to use server capacity at other locations in the interim period
•
Impact on patient care and treatment of Insured’s short term inability to access
current patient data
48
Case Study 3: Measuring the Loss
•
•
Need to establish the following:
– Medical procedures/operations cancelled or postponed due to patient data being
inaccessible
– Extent to which postponed treatment may impact scheduling of treatment for
other patients
– Impact on new patient bookings
– Daily revenue earned from each hospital facility
Increased costs of working:
– IT consultant costs incurred in reconstructing network and patient records
– Overtime costs related to rescheduling of treatment outside normal working
hours
– Costs incurred at other hospitals for transferred patients immediately post
incident
– Impact on patient care and effect on the insured’s short-term inability to access
current patient data
49
Cyber Risk Insurance
Still ‘Ground Floor’
•
Not many claims to date.
•
Policy coverage will surely be
challenged as claims evolve and
different situations arise.
•
Policy coverage and wordings will
likely evolve too.
•
Choose partners who can support you
through this change and ensure your
clients value the claims handling
process.
50
Questions?
51