cyber risk presentation 2013 (agib)
TRANSCRIPT
8/12/2019 Cyber Risk Presentation 2013 (AGIB)
http://slidepdf.com/reader/full/cyber-risk-presentation-2013-agib 1/17
Cyber Risk – The Risk no business can ignore
0
Cyber Risk Presentation
8/12/2019 Cyber Risk Presentation 2013 (AGIB)
http://slidepdf.com/reader/full/cyber-risk-presentation-2013-agib 2/17
Agenda
Primarily for the Sales and the FSPG teams to understand what are cyber security attacks, breaches,
liabilities and first party losses, and to understand and be able to explain the coverages in a cyber security
policy.
Basically we will focus on :
The meaning of a cyber attack
How serious is the risk ?
What types of Organizations are exposed to the risk ?
What are the consequences and other implications of Cyber Crime that victims suffer besides just
1st party financial Loss ?
Is Coverage available ?
Why should you incept a separate cyber risk policy ?
What are the typical coverages available ?
How can Aon help you ?
Any Questions ?
1
8/12/2019 Cyber Risk Presentation 2013 (AGIB)
http://slidepdf.com/reader/full/cyber-risk-presentation-2013-agib 3/17
The meaning of a cyber attack
Cyber attack means unauthorised access, unauthorised use or transmission of a computer virus whichalters, copies, misappropriates, corrupts, destroys, disrupts, deletes or damages the organisation ‘s
computer system causing losses to the victim organisation and/ or may result in Failure of Security or
Denial of Service.
What is Denial of Service ? Denial of service means the inability of a third party, who is authorised to doso, to gain access to the organisation ’s computer system through the internet in a manner in which the thirdparty is legally entitled.
What is failure of Security ? Failure of s ecuri ty means failure of the organisation’s hardware, software or
firmware (including firewalls, filters, DMZs, computer virus protection software, intrusion deletion or theft andthe electronic use of passwords or access codes or similar identification of authorised users) whose purposeis to prevent a computer attack, unauthorised access, unauthorised use and/or disclosure of confidential orprivate information and/or the transmission of a computer virus into or from the Organisation’s computer
system to actually prevent any of the foregoing events.
Cyber-attack means the transmission of fraudulent or unauthorized Data that is designed to modify,
alter, damage, destroy, delete, record or transmit information within a System without authorization,including Data that is self-replicating or self-propagating and is designed to contaminate other
computer programs or legitimate computer Data, consume computer resources or in some fashion
usurp the normal operation of a System.
2
8/12/2019 Cyber Risk Presentation 2013 (AGIB)
http://slidepdf.com/reader/full/cyber-risk-presentation-2013-agib 4/17
How serious is the risk ?
Recently :
In early August 2011, Hong Kong Stock Exchange forced trading suspension in eight listed companiesfollowing cyber attacks by hackers
Apple has faced several lawsuits from IPhone users over Privacy concerns following claims that some
IPhone applications share users’ personal information with advertisers
Sony Computer Entertainment America reported a security breach of its Playstation Network by hackers who
gained unauthorised access to personal information on some 100+ million subscribers which resulted in asecurity information so broad that it not only entailed in Sony incurring business losses because it had tosuspend operations but also lay Sony exposed to multiple class action lawsuits. Early estimates are puttingthe losses at US $ 2bn.
The PM of Singapore announces the setting up of National Cyber Security Centre which will boost thenational capability of Singapore to counter cyber security threats. In his own words “Singapore is a highly
networked government and this itself has created a very significant vulnerability to cyber attacks “
3
8/12/2019 Cyber Risk Presentation 2013 (AGIB)
http://slidepdf.com/reader/full/cyber-risk-presentation-2013-agib 5/17
How serious is the risk
The fact of the matter is that “
Over the last 5 years , 79% -83% organisations have experienced a breach.
Over the last 5 years, there have been 2,807 publicly disclosed data breaches worldwide resulting indamages exceeding US $ 139 bn . (Source :Digital Forensics Association USA)
In 2010 alone, some 16 million confidential records were exposed through more than 662 reported
security breaches,(Source Identity Theft Resource Center USA). A March 2011 Ponemon Institutebenchmark study, “U.S. Cost of a Data Breach,” found that the annualized cost from the attacks had anaverage cost of $7.2 million with the average cost per compromised record in 2010 reaching $214, up 5%from 2009.
Leading insurers are reporting an increased activity in privacy breaches “Last year, privacy breaches ran
about 1-2 per week, this year, it is more like 6-8 per week.” (Beazley Syndicate)
These have been all pervasive and governments, large consulting and accounting organisations (PWC,
Deloitte, E & Y, KPMG, Accenture, Aon Consulting, Mercer EDS …….) hospitals, schools have all reported
cyber security threats/attacks leaving them vulnerable to difficult-to-insure damages, such as lost future
business and reputation, to insurable damages such as customer class action litigation, notification
costs, and credit card issuer cancellation and reissuance costs.
4
8/12/2019 Cyber Risk Presentation 2013 (AGIB)
http://slidepdf.com/reader/full/cyber-risk-presentation-2013-agib 6/17
How serious is the risk
What does it mean in terms of monetary losses ?
For large organizations, the average total cost per breach is estimated at USD 6.75M per incident, anincrease from $6.6M, $6.3M & $4.8M in 2009, 2008, and 2007.
The cost to resolve a breach ranged from $750,000 to $31,000,000, and the number of records breachedranged from 5,000 to 101,000.
The average cost per compromised record was $204, an increase from $202, $197, and $182 in 2009, 2008,and 2007.
Data breaches experienced by “first timers” are more expensive than those encountered by organizations that
have had previous data breaches ($198 vs. $228). From an insurance standpoint, Aon benchmarking indicates that approximately 80 percent of reported
breaches result in total defense and indemnity costs of less than $1 million, approximately 15 percent result ininsurable damages between $1 million and $20 million, and approximately five percent result in total costsabove $20 million.
5
Cyber security breaches are now a painful reality for organizations of all kinds, at all levels and it now is
identified as a top 10 risk for companies.
8/12/2019 Cyber Risk Presentation 2013 (AGIB)
http://slidepdf.com/reader/full/cyber-risk-presentation-2013-agib 7/17
What types of Organizations are exposed to the risk
All organisations whose data is stored/transmitted in, and business is conducted through, hardware andsoftware systems including computers and servers, data centres ,mobile devices (blackberrys,
laptops,VOIP),third party IT vendors.
All organisations that are highly networked and whose core activities depend on the computer systems to
conduct their day to day operations. e.g Financial Institutions like the Banks, Stock Exchanges, Insurance
Companies and almost any other type of large organisations including Government departments, etc.
All organisations who hold proprietary and confidential data of various people . These would include the
following types of data :
PII (Personally Identifiable Information) – Banks, Insurance companies (all Financial companies, andgovernment departments)
PHI (Personal Health Information).
Credit Cards and other financial information - All companies who engage in e-commerce are highlyvulnerable to this risk.
All High profile companies are exposed to increased risks of cyber extortion and e-theft.
All IT companies who render professional services for design and maintenance of the IT systems of theabove companies and are custodians of the above data bases by virtue of their service agreements.
6
8/12/2019 Cyber Risk Presentation 2013 (AGIB)
http://slidepdf.com/reader/full/cyber-risk-presentation-2013-agib 8/17
What types of Organizations are exposed to the risk
7
8/12/2019 Cyber Risk Presentation 2013 (AGIB)
http://slidepdf.com/reader/full/cyber-risk-presentation-2013-agib 9/17
Consequences and other implications of Cyber Attacks
Cyber attacks could lead to property loss (including laptops), disclosure of confidential data ( data pertaining to
clients, the company’s own financial and other confidential data, sensitive HR data relating to Employees)
corruption or loss of an organisation’s systems or data, corruption or loss of third party systems or data
thereby resulting in :
Suspension of activities leading to Business Interruption losses (besides direct property losses !)
Drop in the Stock Price
Regulatory Fines and Penalties and increased supervision from Government authorities thereafter.
Notification expenses
Significant other costs such as Forensics costs (to investigate the Security breach) PR costs , Crisiscommunication costs and consultancy costs.
Multiple class action law suits from people affected by the privacy breach leading to higher legal and defensecosts and ultimately settlements.
The biggest cost so far is the liability to banks that must cancel and reissue credit and debit cards.
Once a breach occurs, the breached entity faces embarrassment and public relations nightmares, loss
of business, litigation and liability, investigations by regulators and government agencies, andsignificant expenses.
8
8/12/2019 Cyber Risk Presentation 2013 (AGIB)
http://slidepdf.com/reader/full/cyber-risk-presentation-2013-agib 10/17
Consequences and other implications of Cyber Attacks
9
8/12/2019 Cyber Risk Presentation 2013 (AGIB)
http://slidepdf.com/reader/full/cyber-risk-presentation-2013-agib 11/17
8/12/2019 Cyber Risk Presentation 2013 (AGIB)
http://slidepdf.com/reader/full/cyber-risk-presentation-2013-agib 12/17
Why should you incept a separate cyber risk policy
Traditional Policies are not transitioned to the digital world and therefore are not adapted to cover the peculiarlosses that arise from cyber risks.
Material gaps often observed in the traditional policies are : General Liability covers bodily injury and property damage – not economic losses.
E & O policies provide for economic damages resulting from a failure of defined services ONLY, and oftencontain exclusions for data and privacy breaches. The E & O policies are not designed to cover: Business interruption Property damage Costs/Losses associated with internal systems problems and loss of the organisation’s related
data/employee data
Property Insurance covers tangible property – data is not tangible property. Loss must be caused by aphysical peril – perils to data are viruses and hackers.
Traditional Fidelity policies only cover employees and only cover money, security and tangible property –
internal systems are exposed to the world at large and data is not tangible. No coverage for third party
property data. Also they all require intention to make personal gain, sometimes identification and prosecutionof the perpetrator all of which are difficult in the cyber world.
11
8/12/2019 Cyber Risk Presentation 2013 (AGIB)
http://slidepdf.com/reader/full/cyber-risk-presentation-2013-agib 13/17
What are the typical coverages available
FIRST PARTY COVERAGE (triggered by
discovery of an incident)
Privacy Event Expenses (usually sub-
limited)
Cyber Extortion
Business Interruption
Digital Asset Protection
12
THIRD PARTY LIABILITY (triggered by a claim)
Security Liability
Privacy Liability
Privacy Regulatory Proceedings (usually sub-limited)
Website Media Liability:
8/12/2019 Cyber Risk Presentation 2013 (AGIB)
http://slidepdf.com/reader/full/cyber-risk-presentation-2013-agib 14/17
8/12/2019 Cyber Risk Presentation 2013 (AGIB)
http://slidepdf.com/reader/full/cyber-risk-presentation-2013-agib 15/17
8/12/2019 Cyber Risk Presentation 2013 (AGIB)
http://slidepdf.com/reader/full/cyber-risk-presentation-2013-agib 16/17
How can Aon Global help you
Aon delves deep into the following exposures to customise
policy terms and does a detailed analysis of coveragestrengths, weaknesses and gaps to arrive at bespokeinsurance.
8/12/2019 Cyber Risk Presentation 2013 (AGIB)
http://slidepdf.com/reader/full/cyber-risk-presentation-2013-agib 17/17
How can Aon Global help you
Diverse backgrounds in law, consulting services, technology, intellectual property and insurance
Marketplace differentiator for convergent risks with components of Errors & Omissions Liability, MediaLiability, Network Security & Privacy Liability,and Intellectual Property Infringement fundamentally changedindustry
Legal expertise leads to expert policy customization, contract reviews and claim advocacy
Claims experts manage carrier relationships and advocate to get your claim paid
Unparalleled understanding of evolving professional liability and privacy exposures
Team members collaborate and share expertise in a geographically aligned model, with colleagues on the
ground in San Francisco, Denver, Chicago, Philadelphia, London and Singapore.
16