cyber risks: understanding the unknown
TRANSCRIPT
Cyber Risks Understanding the Unknown
Carlos Wong
Senior Director, Analytics, A.M. Best
Pablo Vasquez
Financial Analyst, A.M. Best
April 2016
Disclaimer
7th April 2016Cyber Risks: Understanding the Unknown 2
© AM Best Company (AMB) and/or its licensors and affiliates. All rights reserved. ALL INFORMATION CONTAINEDHEREIN IS PROTECTED BY COPYRIGHT LAW AND NONE OF SUCH INFORMATION MAY BE COPIED OROTHERWISE REPRODUCED, REPACKAGED, FURTHER TRANSMITTED, TRANSFERRED, DISSEMINATED,REDISTRIBUTED OR RESOLD, OR STORED FOR SUBSEQUENT USE FOR ANY SUCH PURPOSE, IN WHOLE OR INPART, IN ANY FORM OR MANNER OR BY ANY MEANS WHATSOEVER, BY ANY PERSON WITHOUT AMB’s PRIORWRITTEN CONSENT. All information contained herein is obtained by AMB from sources believed by it to be accurate andreliable. Because of the possibility of human or mechanical error as well as other factors, however, all informationcontained herein is provided “AS IS” without warranty of any kind. Under no circumstances shall AMB have any liability toany person or entity for (a) any loss or damage in whole or in part caused by, resulting from, or relating to, any error(negligent or otherwise) or other circumstance or contingency within or outside the control of AMB or any of its directors,officers, employees or agents in connection with the procurement, collection, compilation, analysis, interpretation,communication, publication or delivery of any such information, or (b) any direct, indirect, special, consequential,compensatory or incidental damages whatsoever (including without limitation, lost profits), even if AMB is advised inadvance of the possibility of such damages, resulting from the use of or inability to use, any such information. The creditratings, financial reporting analysis, projections, and other observations, if any, constituting part of the informationcontained herein are, and must be construed solely as, statements of opinion and not statements of fact orrecommendations to purchase, sell or hold any securities, insurance policies, contracts or any other financial obligations,nor does it address the suitability of any particular financial obligation for a specific purpose or purchaser. Credit risk is therisk that an entity may not meet its contractual, financial obligations as they come due. Credit ratings do not address anyother risk, including but not limited to, liquidity risk, market value risk or price volatility of rated securities. NO WARRANTY,EXPRESS OR IMPLIED, AS TO THE ACCURACY, TIMELINESS, COMPLETENESS, MERCHANTABILITY OR FITNESSFOR ANY PARTICULAR PURPOSE OF ANY SUCH RATING OR OTHER OPINION OR INFORMATION IS GIVEN ORMADE BY AMB IN ANY FORM OR MANNER WHATSOEVER. Each credit rating or other opinion must be weighed solelyas one factor in any investment or purchasing decision made by or on behalf of any user of the information containedherein, and each such user must accordingly make its own study and evaluation of each security or other financialobligation and of each issuer and guarantor of, and each provider of credit support for, each security or other financialobligation that it may consider purchasing, holding or selling.
Disclaimer
7th April 2016Cyber Risks: Understanding the Unknown 3
US Securities Laws explicitly prohibit the issuance or maintenance of a credit rating where a person involved in thesales or marketing of a product or service of the CRA also participates in determining or monitoring the credit rating, ordeveloping or approving procedures or methodologies used for determining the credit rating.
No part of this presentation amounts to sales / marketing activity and A.M. Best’s Rating Division employees
are prohibited from participating in commercial discussions.
Any queries of a commercial nature should be directed to A.M. Best’s Market Development function.
Agenda
7th April 2016Cyber Risks: Understanding the Unknown 4
• Defining Cyber Risk and its Scale
• Cyber Risk and Enterprise Risk Management
• Cyber Risk and the Insurance Market
• Cyber Risk and Insurers’ Credit Ratings
• Q & A
Approach to (Cyber) Risks
7th April 2016Cyber Risks: Understanding the Unknown 5
PREVENTION
Technology
MITIGATION
People
RECOVERY
Processes
Insurance
Solutions
Defining Cyber Risk
7th April 2016Cyber Risks: Understanding the Unknown 6
• Cyber risk spreads and mutates along with technology
• Hard to model
• Can be seen as an additional tax on innovation
“The business risk associated with the use,
ownership, operation, involvement, influence and
adoption of IT within an enterprise”
(ISACA IT Risk Framework)
Defining Cyber Risk
7th April 2016Cyber Risks: Understanding the Unknown 7
Cyber risk can derive from either non-malicious
failures or malicious attacks
• Technological failures • Human error
• Terrorism• Espionage• Financial crime• Sabotage
Defining Cyber Risk
7th April 2016Cyber Risks: Understanding the Unknown 8
There is more than data loss…typical
losses/damages
• Breach of intellectual property
• Business interruption
• Extortion
• Financial fraud
• Breach of privacy• Network failure liabilities• Reputational loss• Physical damage
• Recovery costs
Scale of the Risk
7th April 2016Cyber Risks: Understanding the Unknown 9
Source: McAfee
• One of the five most likely risks (WEF)• 66% annual growth rate last 5 years (PwC survey)• Annual global cost - USD 375-575 billion in 2014 (USD
100 billion from the United States) (McAfee)
Growing risk
Scale of the Risk
7th April 2016Cyber Risks: Understanding the Unknown 10
Country % GDP (*) G20
Argentina N/AAustralia 0.08% M XBrazil 0.32% M XCanada 0.17% M XChina 0.63% H XColombia 0.14% LEU 0.41% L XFrance 0.11% L XGermany 1.60% H XIndia 0.21% L XIndonesia N/AIreland 0.20% MItaly 0.04% LJapan 0.02% L XKenya 0.01% LKorea N/A
Country % GDP (*) G20
Malaysia 0.18% MMexico 0.17% M XNetherlands 1.50% HNew Zealand 0.09% MNigeria 0.08% MNorway 0.64% HRussia 0.10% M XSaudi Arabia 0.17% L XSingapore 0.41% MSouth Africa 0.14% MTurkey 0.07% L XUAE 0.11% MUK 0.16% L XUnited States 0.64% H XVietnam 0.13% LZambia 0.19% L
Cybercrime as a percentage of GDP (McAfee)
(*) Confidence
Scale of the Risk
7th April 2016Cyber Risks: Understanding the Unknown 11
Cybercrime likelihood and impact (WEF)
Scale of the Risk
7th April 2016Cyber Risks: Understanding the Unknown 12
Recent large cyber events (A.M. Best)
Key medium-term trends
7th April 2016Cyber Risks: Understanding the Unknown 13
Big Data (collection and use across all industries)
All businesses “in the cloud” – interconnected“weapon of mass destruction” (systemic risk)
Millennials (perception of data privacy)
Greater reputational risk
Lack of skills (supply – demand dynamics)
Increase in exposure and frequency of attacks
Cyber Risk and Enterprise Risk Management (ERM)
7th April 2016Cyber Risks: Understanding the Unknown 14
Increased awareness
Cyber cannot be avoided – “cyber resilience”US, UK and others - National Institute of Standards and Technology (NIST), Cyber Essentials schemes, etc.
Traditional approach to risk management – does
it work?
• Identification and measurement
• Management
• Monitoring• Response / Recovery
Cyber Risk and Enterprise Risk Management (ERM)
7th April 2016Cyber Risks: Understanding the Unknown 15
Identification and measurement
• Levels of information• Threats• Measurement:
• Assets and liabilities• Scenarios
• Cyber:
• Technological readiness vs. “the human factor”• The active “adversary”• Occurrence changes everything (“it can be done”)
Cyber Risk and Enterprise Risk Management (ERM)
7th April 2016Cyber Risks: Understanding the Unknown 16
Management
• Avoiding not an option• Self-coverage vs. risk transfer
• Financial institutions – risk / solvency capital• Insurance policies, other legal options
• Protection• Data security, firewalls, etc.
• Cyber:
• Businesses need to be “open”• Aggressive approaches (“ahead of the curve”,
“war scenarios”)
Cyber Risk and Enterprise Risk Management (ERM)
7th April 2016Cyber Risks: Understanding the Unknown 17
• Focus on identified exposures
• Compliance with policies of usage, registers, activity logs, etc.
• Cyber:
• Evolving threat – “know the enemy”
• Enterprise-wide 360 view (“E” from ERM)
Monitoring
• Incident response plans: recover infrastructure, restore data, reconnect services
• Cyber:
• Prompt action more important
Response & Recovery
Cyber Risk and Enterprise Risk Management (ERM)
7th April 2016Cyber Risks: Understanding the Unknown 18
• Board awareness - improving• Culture important - Insider threats:
• Access, mobility, accountability, behavior• Accidental, renegade and malicious insiders• External perimeters not enough!
Monitor insiders (from inside and outside)• “Cyber Hygiene” - way of improving cyber risk culture• Growing call for cyber regulation• Strategic view on Cyber Risks – required
• NIST (National Inst. of Standards & Tech) Initiatives
Cyber Risks and ERM (1)
Cyber Risk and Enterprise Risk Management (ERM)
7th April 2016Cyber Risks: Understanding the Unknown 19
Risk Management,IT, Compliance
Compliance
IdentificationMonitoringManagement & Recovery
Control (law & internal)
Finance “Cyber Risk” charge
Legal Regulation, litigation, contracts, etc.
Board Appetite for cyber risks
Personnel Insider threats and lack of cyber talent
Cyber Risks and ERM (2)
Cyber Risk and Insurance
7th April 2016Cyber Risks: Understanding the Unknown 20
• 2018: USD 5 bn, 2020: USD 7.5 bn – realistic?• Approx. 75% from the United States
• First market to adopt standalone solutions• Specially data breaches
• 60 providers offering standalone cyber covers• UK companies relatively small (GWP ‘14: GBP 25 m)• London underwrites 10% of global cyber
• Approx. GBP 100 bn - estimated global exposure of insurance to cyber risk (standalone policies limits)
• Approx. GBP 20 bn - estimated global PML from a single event (20% assumption based on property risk)
Sources: AM Best, HM Government, Marsh
Approximately USD 2.5 bn gross premiums in ‘15
Cyber Risk and Insurance
7th April 2016Cyber Risks: Understanding the Unknown 21
Number of companies purchasing cyber
insurance up 27% year on year in 2015 (US
market, Marsh)
All US Market, Marsh Clients
32% year on year increase in 201421% year on year increase in 2013
Cyber Risk and Insurance
7th April 2016Cyber Risks: Understanding the Unknown 22
Abundance of personal informationHealth Care: Disproportionate market penetration
All US Market, Marsh Clients
Cyber Risk and Insurance
7th April 2016Cyber Risks: Understanding the Unknown 23
Media and financials - highest average limits
• Limits grew in ‘15 across all industries / business sizes• Abundant (theoretical) capacity available• Rate increases across all industries in 2015
All US Market, Marsh Clients
Cyber Risk and Insurance
7th April 2016Cyber Risks: Understanding the Unknown 24
Types of cyber risk coverage include:
• Loss / corruption of data• Business interruption• Liability (privacy breach, virus, unavailability of systems)• D&O / management liability• Cyber extortion and criminal rewards• Crisis management• Data breach• Identity theft• Cloud computing
Cyber Risk and Insurance
7th April 2016Cyber Risks: Understanding the Unknown 25
The nature of the risk:
• Hard to model - data quantity and quality issue:• Lack of historical series (no mandatory disclosure) • Companies ignore they have been targeted• Companies do not want to disclose (reputational,
legal implications)• Mutating with technology / deliberate attacks
• Similar challenges as for terrorism, D&O, fidelity & crime
• Hard to price
• High global correlation – systemic risk
Cyber Risk and Insurance
7th April 2016Cyber Risks: Understanding the Unknown 26
Reading the pricing (2):
• All factors suggest conservative underwriting • Side effect – flat pricing provides no incentive for
insured to reduce cyber risk and save on premiums
Cyber Risk and Insurance
7th April 2016Cyber Risks: Understanding the Unknown 27
Survey results:
• 52% of large UK companies believe they have cover(PwC survey, 2014)
• However - only 10% actually do
(Combined research Marsh & Zurich)• Failure to communicate value of cover from insurers /
poor understanding of the risk and policies by
companies
• All providers within a tight price range• Suggests shared (uncertain) view on risk pricing
Cyber Risk and Insurance
7th April 2016Cyber Risks: Understanding the Unknown 28
Hot topics:
• Regulatory pressure • Public / private sector debate on accountability• Untested legal framework
Cyber Risk and Insurance
7th April 2016Cyber Risks: Understanding the Unknown 29
The analysis of the market suggests:
• Broad range of covers offered by insurers• No price differentiation with low limits• Would more refined modelling / data change this?• Main price factors: Geographical (US / Europe / SE
Asia / Emerging countries) and size of operations• Smaller companies: limited appetite, under-estimation
of risk (lower penetration of standalone policies), high rates
• Large US insurers concerned of exposure to catastrophe events. Need for higher limits/capacity
Cyber Risk and Insurance Credit Ratings
7th April 2016Cyber Risks: Understanding the Unknown 30
Definition of Cyber Risk
and Scale
Insurance
Industry
Seller
[Underwriting]Buyer
[ERM]
Rating
Assessment
Cyber Risk and Insurance Credit Ratings
7th April 2016Cyber Risks: Understanding the Unknown 31
Number of policies written, premiums, % direct business, type of policy, line of business, etc.
Standard questions and forms
Risk management regime Secure configuration
Network Users (PEA)
Incident management Malware prevention
Monitoring Removable media
Home and mobile
Cyber Risk and Insurance Credit Ratings
7th April 2016Cyber Risks: Understanding the Unknown 32
Scenario analysis
• Exposures and level of sophistication of the insurer
Possible cyber catastrophe scenarios*:
• Payment processing
services - security breach at largest provider;e-commerce payments down for 48 hours
• Electricity transmission
system - Cyber attack -shutdown of for 48 hours
• Cloud data - world’s largest provider suffers major breach of security
• Cloud-based application
hosting - world’s largest provider suffers 24-hour outage
*Marsh, UK HM Treasury
Cyber Risk and Insurance Credit Ratings
7th April 2016Cyber Risks: Understanding the Unknown 33
Non-writers of standalone cyber risks (1)
• The case of cloud computing and contingent
business interruption insurance
• 30% of Fortune 1000 companies deployed at
least one business
critical system in the cloud (2015)
• 78% of UK
organizations – at least one cloud-based service
Insurer
Co. # 1
Co .# 2
Co. # 3
.
.
.
Source: Kennedys
Cyber Risk and Insurance Credit Ratings
7th April 2016Cyber Risks: Understanding the Unknown 34
Non-writers of standalone cyber risks (2)
• Contingent Business Interruption - loss of profit linked to physical damage to dependent property (i.e. property operated by third parties that delivers, accepts or manufactures products or services to the policyholder)• Is the Cloud dependent property?• US and UK - past court cases suggest that physical
damage may include certain events (loss of data, suspension of services)
Source: Kennedys
Cyber Risk and Insurance Credit Ratings
7th April 2016Cyber Risks: Understanding the Unknown 35
Threat of a cyber mega-event:
• Success/diffusion of the cloud
• Low levels of risk transfer• Accumulations:
• Ineffective exclusion clauses
• Broad definition of physical damage
Cyber Risk and Insurance Credit Ratings
7th April 2016Cyber Risks: Understanding the Unknown 36
Final Considerations
• Systemic Risk• Insurance industry - may not be ready to adequately
mitigate the risk yet• Understanding buyer / seller side - in development
• Pressure on rating agencies to reflect this risk in their assessment
• New challenges:
• Broader rating approach?
• Data scoring rating?
Cyber RiskUnderstanding the Unknown
7th April 2016Cyber Risks: Understanding the Unknown 37
Q&A
Contacts
Carlos Wong Pablo Vasquez
Senior Director, Analytics Financial [email protected] [email protected]
A.M. Best
@AMBestEMEA, @AMBestRatings, @AMBestCo
Creating a culture of risk awarenessTM
Global Association of
Risk Professionals
111 Town Square PlaceSuite 1410Jersey City, New Jersey 07310USA+ 1 201.719.7210
2nd FloorBengal Wing9A Devonshire SquareLondon, EC2M 4YNUK+ 44 (0) 20 7397 9630
www.garp.org
About GARP | The Global Association of Risk Professionals (GARP) is a not-for-profit global membership organization dedicated to preparing professionals and organizations to make
better informed risk decisions. Membership represents over 150,000 risk management practitioners and researchers from banks, investment management firms, government agencies,
academic institutions, and corporations from more than 195 countries and territories. GARP administers the Financial Risk Manager (FRM®) and the Energy Risk Professional (ERP®)
exams; certifications recognized by risk professionals worldwide. GARP also helps advance the role of risk management via comprehensive professional education and training for
professionals of all levels. www.garp.org.
© 2012 Global Association of Risk Professionals. All rights reserved.