cyber liability the ticking time bomb · cyber liability the ticking time bomb an underwriter’s...
TRANSCRIPT
CYBER LIABILITY
THE TICKING TIME BOMB
AN UNDERWRITER’S PERSPECTIVE
Media: Convergence amongst media interests to exploit the Internet and
the social networking generation Digital opportunities for content distribution, subscription income
and web page advertising Expenditure on Internet advertising outstripping traditional TV
media buying
Technology: Explosive growth in web applications, bandwidth, business process
outsourcing, data storage, Big data analysis and Cloud computing
Brand: Increase in value and importance of intellectual property assets and
brand recognition, aided by exploitation via digital distribution and viral marketing
Trends
Global ‘cyber’ Insurance Market
Capacity: $500M
$40M in new capacity in London since 2012
Double Digit Premium growth in 2013
Estimated GWP: $1 billion
Generic ‘cyber’ policy
Media liability/PI
Network security/privacy liability
Business interruption
Crisis management
Regulatory fines/penalties
Extortion
Brand/reputation
What’s at risk?
Data
IP
Business operations
CORPORATE
TRADE SECRETS- INTELLECTUAL PROPERTY-PROPRIETARY INFORMATION
IDENTIFYING INFORMATION
BIOMETRIC:FINGERPRINT-VOICE PRINT-RETINA/IRIS IMAGE
TELCOM ELECTRONIC SERIAL NUMBERS-IP ADDRESS
PERSONAL INFORMATION
CREDIT CARD-NI/SS-DRIVERS LICENCE-PASSPORT MEDICAL-BANKING-PASSWORD
DATAPAPER ELECTRONIC ORAL
What’s at risk?
Data/IP Bus Op
Brand
Reputation
Competitive Advantage
Investment
Stock Value
Activity:
• Passive content advertising products and services or more interactive – blogs, discussion forum
• Social networking and user generated content
• Collection of personal information
• Downloads and email
• Purchase of goods or services using credit cards
• Linking to other sites
Issues:
• Media liability exposure to claims for defamation or infringement of copyright or trademark in own or other’s content
• Responsibilities under Data Protection laws for security of information
• Virus propagation
• Liability for fraudulent use of credit card information
• Vicarious liability
Risk Issues
Technology:
• Information technology and infrastructure functionality and security
• Software, data, intellectual property
• Servers, PC’s, laptops, PDA
• Data collection, databases, data mining
• Outsource service providers
Issues:
• Business interruption, increased cost of working and extra expense
• Loss or theft of data and subsequent replacement or restoration costs
• Breach of security and subsequent loss or misuse of private or confidential information
• Investigation by data regulator
• Loss of PCI status• Remedial credit
monitoring
Risk Issues
Technology:
• Information technology and infrastructure functionality and security
• Software, data, intellectual property
• Servers, PC’s, laptops, PDA
• Data collection, databases, data mining
• Outsource service providers
Issues:
• Social engineering scams
• Impaired functionality or corruption of data following targeted attacks by hackers or disgruntled employee
• Cyber extortion threats
• Denial of service attacks
• Virus infection of key operating system
• Failure of OSP – security, service levels, pandemic
Risk Issues
Cloud :
• Internet-based computing, whereby shared resources, software and information are provided to computers and other devices on demand
• Users no longer have need for expertise in, or control over, the technology infrastructure "in the cloud" that supports them.
• Over-the-Internet provision of dynamically scalable and often virtualized resources
Issues:
• Loss of control of vendor selection
• Reliance on contractual provisions
• Jurisdictional and geographical exposures
• Cross border breach of Data Protection legislation
Risk issues
The perfect business partner?
Well funded
Highly motivated
Technologically advanced
Global network
24/7 availability
Cyber crime
WHAT IS IT?
o Offences that are committed against individuals or groups of individuals with a criminal motive
o To intentionally harm the reputation of the victim or cause physical or mental harm to the victim
o To carry out financial, identity or data theft, or espionage
o Using modern telecommunication networks such as Internet (chat rooms, emails, notice boards and groups) and mobile phones (SMS/MMS)
WHAT IS CYBER CRIME?
• Illegal file sharing - downloading of music or video files
• Hacking of computers: theft, destruction or unauthorised use of intellectual property or data
• Denial of service attacks
• Child pornography/internet grooming
• Sale of counterfeit goods
• Creation and distribution of virus, malicious code, spam
• Social engineering: cyber stalking, phishing or pharming
• Cyber terrorism and cyber extortion
Impact:
– Damage to reputation, brand or individual
– Financial loss, extra expense and liability
– Interruption in business and loss of market
How can the frequency and sophistication of cyber
crime be accurately assessed?
It can’t in its entirety…………..
……….without a uniform method of collecting cyber crime data……..
Perhaps its easier to consider the cost?
Cost to UK economy GBP27bn
IP theft
Espionage
ID theft
Online scams
Online fraud
Data loss
Online theft
Extortion
Fiscal fraud
What is the insurance solution for our clients?
Review options under existing policies
Follow the liability and regulatory chain
CYBER
PI
TECH
COMPUTER ALL RISKS
CRIMECGL
MEDIA
K&R
What is the insurance solution for our clients?
• Breach notification laws enacted in most states since 2002
• Gramm-Leach-Bliley Act ("GLBA")/American Recovery and Reinvestment Act require FI, HCPs and their OSPs to notify
USA
• No pan EU breach notification standard
• No general definition of data breachEuropean Union
• Notification “without undue delay” - 24 hours
• Sliding scale of fines up to 2% of global turnover
EU Data Protection Regulation
• Further than personal data breach requirements
• Critical infrastructure operators (financial services, transport, energy, health)
• Information society services (app stores, e-commerce platforms, Internet payments, cloud, search engines, social networks)
• Report “significant impact on security of services”
EU Cyber Security Directive
ICO £4.26m
SDPA €19.6m
SPNP $171m
36 COUNTRIES
855 INCIDENTS
174 MILLION RECORDS
What is the insurance solution for our clients?
Review options under existing policies
Follow the liability and regulatory chain
Consider broad form first party network security policy
Cover for loss of intellectual property
Agreed data asset/intellectual property valuation at the outset
Agreed method of adjusting loss and indemnity period
Carve back for Cyber terrorism
SOCIETY
COMMUNICATION
BEHAVIOUR
TECHNOLOGY
INTERACTION
To what extent is the growth of social networking
contributing to cyber product development?
• Significant media implications for companies: advertising, traditional and viral marketing, brand awareness, brand alignment
• Significant exposures: negative image, loss of custom, security breach, liability and own loss implications - defamation, intellectual property infringement
• Implications for individuals: cyber bullying, e-stalking, social engineering scams, identity theft
How can underwriters approach the pricing of emerging and evolving cyber risks?
• Gather the data
• Choose your target sectors
• Break the risk down into its component parts
• Get your advocates in place
SECTOR ANALYSIS
OWN LOSS AND LIABILITY
SUPPLY CHAIN TPS
CONTRACT
DIRECT AND INDIRECT
COSTS
NOTIFICATION
REGULATORY ACTION
FINES AND PENALTIES
REMEDIATION
POLICY
CYBER LIABILITY
THE TICKING TIME BOMB
AN UNDERWRITER’S PERSPECTIVE