cyber risk presentation 2013 (agib)

8/12/2019 Cyber Risk Presentation 2013 (AGIB)

http://slidepdf.com/reader/full/cyber-risk-presentation-2013-agib 1/17

Cyber Risk – The Risk no business can ignore

0

Cyber Risk Presentation



Agenda

Primarily for the Sales and the FSPG teams to understand what are cyber security attacks, breaches,

liabilities and first party losses, and to understand and be able to explain the coverages in a cyber security

policy.

Basically we will focus on :

The meaning of a cyber attack

How serious is the risk ?

What types of Organizations are exposed to the risk ?

What are the consequences and other implications of Cyber Crime that victims suffer besides just

1st party financial Loss ?

Is Coverage available ?

Why should you incept a separate cyber risk policy ?

What are the typical coverages available ?

How can Aon help you ?

Any Questions ?

1



The meaning of a cyber attack

Cyber attack means unauthorised access, unauthorised use or transmission of a computer virus whichalters, copies, misappropriates, corrupts, destroys, disrupts, deletes or damages the organisation ‘s

computer system causing losses to the victim organisation and/ or may result in Failure of Security or

Denial of Service.

What is Denial of Service ? Denial of service means the inability of a third party, who is authorised to doso, to gain access to the organisation ’s computer system through the internet in a manner in which the thirdparty is legally entitled.

What is failure of Security ? Failure of s ecuri ty means failure of the organisation’s hardware, software or

firmware (including firewalls, filters, DMZs, computer virus protection software, intrusion deletion or theft andthe electronic use of passwords or access codes or similar identification of authorised users) whose purposeis to prevent a computer attack, unauthorised access, unauthorised use and/or disclosure of confidential orprivate information and/or the transmission of a computer virus into or from the Organisation’s computer

system to actually prevent any of the foregoing events.

Cyber-attack means the transmission of fraudulent or unauthorized Data that is designed to modify,

alter, damage, destroy, delete, record or transmit information within a System without authorization,including Data that is self-replicating or self-propagating and is designed to contaminate other

computer programs or legitimate computer Data, consume computer resources or in some fashion

usurp the normal operation of a System.

2



How serious is the risk ?

Recently :

In early August 2011, Hong Kong Stock Exchange forced trading suspension in eight listed companiesfollowing cyber attacks by hackers

Apple has faced several lawsuits from IPhone users over Privacy concerns following claims that some

IPhone applications share users’ personal information with advertisers

Sony Computer Entertainment America reported a security breach of its Playstation Network by hackers who

gained unauthorised access to personal information on some 100+ million subscribers which resulted in asecurity information so broad that it not only entailed in Sony incurring business losses because it had tosuspend operations but also lay Sony exposed to multiple class action lawsuits. Early estimates are puttingthe losses at US $ 2bn.

The PM of Singapore announces the setting up of National Cyber Security Centre which will boost thenational capability of Singapore to counter cyber security threats. In his own words “Singapore is a highly

networked government and this itself has created a very significant vulnerability to cyber attacks “

3



How serious is the risk

The fact of the matter is that “

Over the last 5 years , 79% -83% organisations have experienced a breach.

Over the last 5 years, there have been 2,807 publicly disclosed data breaches worldwide resulting indamages exceeding US $ 139 bn . (Source :Digital Forensics Association USA)

In 2010 alone, some 16 million confidential records were exposed through more than 662 reported

security breaches,(Source Identity Theft Resource Center USA). A March 2011 Ponemon Institutebenchmark study, “U.S. Cost of a Data Breach,” found that the annualized cost from the attacks had anaverage cost of $7.2 million with the average cost per compromised record in 2010 reaching $214, up 5%from 2009.

Leading insurers are reporting an increased activity in privacy breaches “Last year, privacy breaches ran

about 1-2 per week, this year, it is more like 6-8 per week.” (Beazley Syndicate)

These have been all pervasive and governments, large consulting and accounting organisations (PWC,

Deloitte, E & Y, KPMG, Accenture, Aon Consulting, Mercer EDS …….) hospitals, schools have all reported

cyber security threats/attacks leaving them vulnerable to difficult-to-insure damages, such as lost future

business and reputation, to insurable damages such as customer class action litigation, notification

costs, and credit card issuer cancellation and reissuance costs.

4



How serious is the risk

What does it mean in terms of monetary losses ?

For large organizations, the average total cost per breach is estimated at USD 6.75M per incident, anincrease from $6.6M, $6.3M & $4.8M in 2009, 2008, and 2007.

The cost to resolve a breach ranged from $750,000 to $31,000,000, and the number of records breachedranged from 5,000 to 101,000.

The average cost per compromised record was $204, an increase from $202, $197, and $182 in 2009, 2008,and 2007.

Data breaches experienced by “first timers” are more expensive than those encountered by organizations that

have had previous data breaches ($198 vs. $228). From an insurance standpoint, Aon benchmarking indicates that approximately 80 percent of reported

breaches result in total defense and indemnity costs of less than $1 million, approximately 15 percent result ininsurable damages between $1 million and $20 million, and approximately five percent result in total costsabove $20 million.

5

Cyber security breaches are now a painful reality for organizations of all kinds, at all levels and it now is

identified as a top 10 risk for companies.



What types of Organizations are exposed to the risk

All organisations whose data is stored/transmitted in, and business is conducted through, hardware andsoftware systems including computers and servers, data centres ,mobile devices (blackberrys,

laptops,VOIP),third party IT vendors.

All organisations that are highly networked and whose core activities depend on the computer systems to

conduct their day to day operations. e.g Financial Institutions like the Banks, Stock Exchanges, Insurance

Companies and almost any other type of large organisations including Government departments, etc.

All organisations who hold proprietary and confidential data of various people . These would include the

following types of data :

PII (Personally Identifiable Information) – Banks, Insurance companies (all Financial companies, andgovernment departments)

PHI (Personal Health Information).

Credit Cards and other financial information - All companies who engage in e-commerce are highlyvulnerable to this risk.

All High profile companies are exposed to increased risks of cyber extortion and e-theft.

All IT companies who render professional services for design and maintenance of the IT systems of theabove companies and are custodians of the above data bases by virtue of their service agreements.

6



What types of Organizations are exposed to the risk

7



Consequences and other implications of Cyber Attacks

Cyber attacks could lead to property loss (including laptops), disclosure of confidential data ( data pertaining to

clients, the company’s own financial and other confidential data, sensitive HR data relating to Employees)

corruption or loss of an organisation’s systems or data, corruption or loss of third party systems or data

thereby resulting in :

Suspension of activities leading to Business Interruption losses (besides direct property losses !)

Drop in the Stock Price

Regulatory Fines and Penalties and increased supervision from Government authorities thereafter.

Notification expenses

Significant other costs such as Forensics costs (to investigate the Security breach) PR costs , Crisiscommunication costs and consultancy costs.

Multiple class action law suits from people affected by the privacy breach leading to higher legal and defensecosts and ultimately settlements.

The biggest cost so far is the liability to banks that must cancel and reissue credit and debit cards.

Once a breach occurs, the breached entity faces embarrassment and public relations nightmares, loss

of business, litigation and liability, investigations by regulators and government agencies, andsignificant expenses.

8



Consequences and other implications of Cyber Attacks

9



Why should you incept a separate cyber risk policy

Traditional Policies are not transitioned to the digital world and therefore are not adapted to cover the peculiarlosses that arise from cyber risks.

Material gaps often observed in the traditional policies are : General Liability covers bodily injury and property damage – not economic losses.

E & O policies provide for economic damages resulting from a failure of defined services ONLY, and oftencontain exclusions for data and privacy breaches. The E & O policies are not designed to cover: Business interruption Property damage Costs/Losses associated with internal systems problems and loss of the organisation’s related

data/employee data

Property Insurance covers tangible property – data is not tangible property. Loss must be caused by aphysical peril – perils to data are viruses and hackers.

Traditional Fidelity policies only cover employees and only cover money, security and tangible property –

internal systems are exposed to the world at large and data is not tangible. No coverage for third party

property data. Also they all require intention to make personal gain, sometimes identification and prosecutionof the perpetrator all of which are difficult in the cyber world.

11



What are the typical coverages available

FIRST PARTY COVERAGE (triggered by

discovery of an incident)

Privacy Event Expenses (usually sub-

limited)

Cyber Extortion

Business Interruption

Digital Asset Protection

12

THIRD PARTY LIABILITY (triggered by a claim)

Security Liability

Privacy Liability

Privacy Regulatory Proceedings (usually sub-limited)

Website Media Liability:



How can Aon Global help you

Aon delves deep into the following exposures to customise

policy terms and does a detailed analysis of coveragestrengths, weaknesses and gaps to arrive at bespokeinsurance.



How can Aon Global help you

Diverse backgrounds in law, consulting services, technology, intellectual property and insurance

Marketplace differentiator for convergent risks with components of Errors & Omissions Liability, MediaLiability, Network Security & Privacy Liability,and Intellectual Property Infringement fundamentally changedindustry

Legal expertise leads to expert policy customization, contract reviews and claim advocacy

Claims experts manage carrier relationships and advocate to get your claim paid

Unparalleled understanding of evolving professional liability and privacy exposures

Team members collaborate and share expertise in a geographically aligned model, with colleagues on the

ground in San Francisco, Denver, Chicago, Philadelphia, London and Singapore.

16

cyber risk presentation 2013 (agib)

Documents